lint: add a negative dependency checker

Add a program that looks for undesired dependencies in the workspace
dependency graph.

Example output:
```
Found 3 dependency policy violations.

================================================================================
Found a violation of rule #1 defined in depcheck/src/main.rs:
================================================================================
'*' should not depend on 'git2'.

If you need to get data from Git, consider executing 'git' command as a
subprocess. 'git2' requires native libraries and increases compile time by ~10s,
usually providing little value.

Shortest dependency path:
depcheck:0.1.0
└── git2:0.7.2

================================================================================
Found a violation of rule #2 defined in depcheck/src/main.rs:
================================================================================
'ic-replica' should not depend on 'dfn_core'.

Replica must not depend on Rust CDK.

Shortest dependency path:
ic-replica:0.8.0
└── ic-crypto:0.8.0
    └── ic-crypto-tls-cert-validation:0.8.0
        └── dfn_core:0.8.0

================================================================================
Found a violation of rule #3 defined in depcheck/src/main.rs:
================================================================================
'ic-interfaces' should not depend on 'tokio'.

Interfaces should not depend on implementation details.

Shortest dependency path:
ic-interfaces:0.8.0
└── tokio:1.17.0

``` 

See merge request dfinity-lab/public/ic!3524

…aster'

perf: [EXC-1119] optimise Scheduler::execute_round by removing excessive canister state lookups

This MR removes an extra lookups for canister state and metric updates.

Optimisation #1. Canister metric update.

Before this MR in order to record the metric there is a loop that iterates over all the canister IDs, looks up their state in states and modifies the state. When the number of canisters is big then the lookup introduces a significant factor to an O(n) iteration. Eg. for a subnet with 100k total and 100 active canisters it might be ~10% of `execute_round` function time.

This MR moves the metric update to the already existing loop with a lookup in a previous step `apply_scheduling_strategy`.

Optimisation #2. Canister state update.

Both `canister_states` and `round_states` contain the elements in the same order, but when iterating over `round_states` it requires to do an expensive canister state lookup. The optimisation iterates over those two collections simultaneously (relying on the same elements order) which get the canister state for free.

On a testnet with 100k total and 100 active canisters this optimisation saves 4.8-5.2% of DSM critical path (scheduling step, no optimisation 7.5-8.2%, with optimisation 2.7-3%). 

See merge request dfinity-lab/public/ic!11052

… 'master'

feat(crypto) CRP-1894: Zeroize old secret key store when writing new content

The way the SKS is currently updated is as follows:

1. On startup, the SKS is read from disk, and maintained in memory.
2. If changes are made to the SKS (new key generated, old key deleted), the changes are made in memory, and then written to disk. The writing to disk is performed as follows:
    1. Write the updated SKS to a new, temporary file.
    2. Atomically replace the existing SKS by moving/renaming the new SKS to the location of the existing SKS.

To zeroize the old SKS, the proposed approach when writing the new SKS to disk is as follows:

1. Create a hard link to the old SKS - same path and filename, but with “.old” suffix
2. Write the new SKS to disk using the temporary file and rename to replace the existing SKS as above.
3. Zeroize the old SKS file using the hard link created in step #1.
4. Remove the hard link created in step #1.

In case the node/process crashes while writing the new SKS (in practice, somewhere after step #1 but before step #4), some cleanup needs to be done:

- If the crash happened after #1 but before #2, the hard link with the “.old” suffix will point to the current SKS - in this case, simply remove the hard link to the SKS, but do not zeroize it.
- If the crash happened after #2, perform steps #3 and #4 from above (zeroize the old file and delete it).
 
The cleanup can be done when opening the SKS to read it. To determine which of the two cleanup actions should be done, check to see if a hard link with “.old” suffix exists, and if so, if it points to the same file (inode) as the current SKS - if yes, zeroize and delete the “.old” file; if no, simply delete the “.old” file.

One scenario where this zeroization introduces a new security exposure is in case we crash between steps #2 and #3 above, where the new keystore has been written, but there is still a hard link to the old keystore, and the old keystore has not been zeroized. 

See merge request dfinity-lab/public/ic!10724

…from selection

Feat(NODE-1353): Consolidate rootfs utils #2

There's still more consolidation left to do. This is a big enough chunk though. 

See merge request dfinity-lab/public/ic!18997

#977)

This PR is the first step towards enabling the `SnsW.get_wasm_metadata`
endpoint in production. For that, we need a way to store the metadata in
the stable memory, as recomputing it each time is expensive (because
canister WASMs stored in SNS-W are often compressed).

Unlike the [first attempt](#956), this
PR makes it harder to represent disallowed states in the type system,
e.g., there cannot metadata that does not belong to any WASM stored in
SNS-W.

---------

Co-authored-by: IDX GitHub Automation <[email protected]>
Co-authored-by: Carly Gundy <[email protected]>
Co-authored-by: Mathias Björkqvist <[email protected]>
Co-authored-by: tim gretler <[email protected]>

…_total_size_too_large more similar

https://dfinity.atlassian.net/browse/NODE-1619

bbfb096 - Fix grub backwards
compatibility by continuing to pass extra_boot_args

d7533c0 - Create boot_args.template for
hostos and guestos

ba50c70 - Create requires_root_signing
bool

9e7d432 - Move boot_args.template files
to bootloader/

This reverts commit 6446247.

This reverts commit 6446247.

)

This reverts commit 6446247 since it
breaks the`//rs/tests/nested:registration` test
([BuildBuddy](https://dash.zh1-idx1.dfinity.network/invocation/7daaa936-92fa-40c6-bb44-a7405d0a7192?target=%2F%2Frs%2Ftests%2Fnested%3Aregistration&targetStatus=6)).

https://dfinity.atlassian.net/browse/NODE-1619

bbfb096 - Fix grub backwards
compatibility by continuing to pass extra_boot_args

d7533c0 - Create boot_args.template for
hostos and guestos

ba50c70 - Create requires_root_signing
bool

9e7d432 - Move boot_args.template files
to bootloader/

Following #5437 and
#5455, with additional changes only to
fix test driver and update docs
([compare](https://github.com/dfinity/ic/pull/5462/files/ac5816f8b6fb19d7aa527728cdafac696c086cd3..1070935f0f31b9fa9fdcd69a3ff0ef34ffbd6fe2)).

---------

Co-authored-by: Andrew Battat <[email protected]>
Co-authored-by: Bas van Dijk <[email protected]>

Following #5437 and
#5455, with additional changes only to
fix test driver and update docs
([compare](https://github.com/dfinity/ic/pull/5462/files/ac5816f8b6fb19d7aa527728cdafac696c086cd3..1070935f0f31b9fa9fdcd69a3ff0ef34ffbd6fe2)).

---------

Co-authored-by: Andrew Battat <[email protected]>
Co-authored-by: Bas van Dijk <[email protected]>