From 2c9e0ce734560b020e554655636cd8b430fa3f4a Mon Sep 17 00:00:00 2001 From: Lukas Lihotzki Date: Thu, 9 Apr 2026 16:25:00 +0200 Subject: [PATCH] feat(rust): deny openssl --- linting/rust/deny.toml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/linting/rust/deny.toml b/linting/rust/deny.toml index d107a45..58737f2 100644 --- a/linting/rust/deny.toml +++ b/linting/rust/deny.toml @@ -62,3 +62,14 @@ allow = ["AGPL-3.0-only", "AGPL-3.0-or-later"] [[licenses.exceptions]] name = "zitadel-token" allow = ["AGPL-3.0-only", "AGPL-3.0-or-later"] + +# Ban openssl, because only rustls should be used in general. Most of the +# ecosystem supports to choose between openssl and rustls with feature flags +# such as `rustls-tls`, and we prefer rustls because it forbids unsafe code. +# Usually, openssl gets included acidentally, so let's ban it here. If you +# actually must use openssl, override this ban and add an explanation. Add a +# ban of rustls in this case, except when you actually need two different TLS +# implementations, which also would need to be explained. +[[bans.deny]] +name = "openssl-sys" +wrappers = []