Ubuntu
dh-cargo package

dh-cargo-vendored-sources produces misleading XS-Vendored-Sources-Rust

Bug #2111699 reported by Gauthier Jolly
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dh-cargo (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Noble
New
Undecided
Unassigned
Oracular
Won't Fix
Undecided
Unassigned
Plucky
New
Undecided
Unassigned

Bug Description

On Jammy and Noble, dh-cargo-vendored-sources is not able to detect when the rust-vendor directory has been generated with cargo-vendor-filterer thus producing a XS-Vendored-Sources-Rust string that does not accurately reflect the rust dependencies. Specifically, XS-Vendored-Sources-Rust will include dependencies that have been selectively removed by cargo-vendor-filterer.

This issue is fixed in plucky, but I think this fixed should be backported to prevent a rust package from being flagged by the security team if a CVE affects one of the dependencies that has been removed by dh-cargo-vendored-sources.

Revision history for this message
Julian Andres Klode (juliank) wrote :

More fixes are needed to the plucky dh-cargo-vendor detection code before that's possible, as it stands we know it breaks certain crates. I have a patch from Zixing that fixes that but it needs to land in questing first.

Gauthier Jolly (gjolly)
Changed in dh-cargo (Ubuntu):
status: New → Fix Released
Revision history for this message
Ural Tunaboyu (uralt) wrote :

Ubuntu 24.10 (Oracular Oriole) has reached end of life, so this bug will not be fixed for that specific release.

Changed in dh-cargo (Ubuntu Oracular):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.