|
| 1 | +# Third-party dependency and license inventory |
| 2 | + |
| 3 | +The authoritative inventory of vendored components and their license surface, |
| 4 | +per [RFC-0015](../docs/rfcs/RFC-0015-third-party-vendoring-and-pinning.md). The |
| 5 | +`cargo deny check licenses` gate ([`deny.toml`](../deny.toml)) enforces the |
| 6 | +allowed-license set against the resolved dependency graph on every PR. |
| 7 | + |
| 8 | +## Vendored components |
| 9 | + |
| 10 | +| Component | Path | Pin | License | REVISION | |
| 11 | +| --- | --- | --- | --- | --- | |
| 12 | +| Stwo | `third_party/stwo` | `v2.2.0` (`289c20de`) | Apache-2.0 | [`stwo/REVISION`](stwo/REVISION) | |
| 13 | +| stwo-circuits | `third_party/stwo-circuits` | `v0.1.0` (`b0db13e4`) | Apache-2.0 | pending (#25) | |
| 14 | + |
| 15 | +Each vendored component is pinned by commit, carries its upstream `LICENSE` |
| 16 | +verbatim and a recorded `NOTICE`, and is referenced by path only (INV-RFC0015-01: |
| 17 | +no crates.io/git source for a substrate package). |
| 18 | + |
| 19 | +## License surface of the resolved graph (Stwo vendored) |
| 20 | + |
| 21 | +Licenses present in the transitive dependency tree once `stwo` is wired in. Every |
| 22 | +crate resolves to at least one allowed license (dual-licensed crates list every |
| 23 | +option; the allowed alternative satisfies the gate). |
| 24 | + |
| 25 | +| SPDX license | Allowed | Notes | |
| 26 | +| --- | --- | --- | |
| 27 | +| Apache-2.0 | yes | project license; most of the tree | |
| 28 | +| MIT | yes | most of the tree (dual with Apache-2.0) | |
| 29 | +| BSD-2-Clause | yes | `arrayref` (single), `zerocopy` (dual) | |
| 30 | +| BSD-3-Clause | yes | `subtle` | |
| 31 | +| Unicode-3.0 | yes | `unicode-ident` (dual) | |
| 32 | +| Zlib | yes | `foldhash` (single), `bytemuck` (dual) | |
| 33 | +| Apache-2.0 WITH LLVM-exception | via Apache-2.0 | `blake3`, `wasi` (dual with Apache-2.0) | |
| 34 | +| CC0-1.0 / MIT-0 / Unlicense | via alternative | `blake3`, `constant_time_eq`, `memchr` — each dual with an allowed license | |
| 35 | + |
| 36 | +The allow-list lives in [`deny.toml`](../deny.toml). Duplicate dependency |
| 37 | +versions (e.g. `itertools` 0.10/0.12, `hashbrown` 0.14/0.17, `syn` 1/2) are |
| 38 | +permitted (`bans.multiple-versions = "allow"`) because they originate in the |
| 39 | +pinned upstream tree; tightening is tracked by the vendoring-audit work (#26). |
0 commit comments