Comment 1 for bug 2048781

Vendored packaging is required for Go and Rust, but does not scale well for maintenance. There is a lot of vendored code in this package.

Is Security responsible for monitoring all 190 vendored packages for CVEs? Is Security responsible for resolving vulnerabilities in every vendored package?

Security could monitor CVE assignments to vendored packages and alert owning teams. I believe owning teams need to own vendored package maintenance. Otherwise the scaling nature of vendored packages falls on Security and will not be sustainable. After Security's CVE intake, owning team would need to set the affected status of CVEs in vendored packages.

Are there unnecessary dependencies in this package? Should we package or maintain ./vendor_rust/win* ?

What is Security's responsibility in reviewing dependencies during an MIR? If we don't review each package there is an MIR loop-hole to avoid security concerns. We cannot perform a security review of 191 packages by 24.04.

Please see the vendored discussion on ubuntu-mir [0], particularly the comment about [1] `cargo vendor` causing unnecessary vendoring.

eslerm@mino:~/audits/authd/noble/authd-0.2$ ls vendor_rust/ vendor/*/ |wc -l
190

[0] https://github.com/canonical/ubuntu-mir/issues/35
[1] https://github.com/canonical/ubuntu-mir/issues/35#issuecomment-1859325671

edit: owning team already stated they are "commit[ed] to provide [vendor] updates to the security team" :)

As a debdiff for Security to sponsor, that sounds great \o/