diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a727a4ab..48f5e050 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -58,7 +58,7 @@ jobs:
     - uses: EmbarkStudios/cargo-deny-action@v2
       with:
         log-level: warn
-        command: check bans sources licenses
+        command: check -A duplicate bans sources licenses
   install-tests:
     if: ${{ !contains(github.event.pull_request.labels.*.name, 'control/skip-ci') }}
     name: "Test install"
diff --git a/deny.toml b/deny.toml
index a5340e3c..56970b87 100644
--- a/deny.toml
+++ b/deny.toml
@@ -1,5 +1,9 @@
 [licenses]
-allow = ["Apache-2.0", "Apache-2.0 WITH LLVM-exception", "MIT", "BSD-3-Clause", "BSD-2-Clause", "Unicode-DFS-2016"]
+allow = ["Apache-2.0", "Apache-2.0 WITH LLVM-exception", "MIT",
+         "BSD-3-Clause", "BSD-2-Clause", "Zlib",
+         "Unlicense", "CC0-1.0",
+         "Unicode-DFS-2016", "Unicode-3.0"]
+private = { ignore = true }
 
 [[bans.deny]]
 # We want to require FIPS validation downstream, so we use openssl
@@ -8,6 +12,4 @@ name = "ring"
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
-allow-git = [
-    "https://github.com/ostreedev/ostree-rs-ext"
-]
+allow-git = []