On 2024-04-04 13:18, Ben Greiner wrote:
But is this actually executed? Does a bot, not to say a reviewer, really look into vendor.tar.xz and try to reproduce it? I am not too deep into rust packaging, but does cargo_vendor actually create reproducible archives based on the lock files or can vendored packages jump in version?
`cargo vendor` creates the vendor directory that later is compressed by the osc service. If you manually change the content here of later (with a patch), the hash will be different and `cargo build` will complain when comparing with Cargo.lock. To patch a vendored crate you need to annotate it via [patch.crates-io]. This all makes naive attack more evident, but AFAIK I still did not see any idea that will protect us for the kind of attack that XZ suffered, when a rogue maintainer sing compromised upstream tarballs, nor as commented, when a OBS package maintainer decides to add a backdoor in the package. Reviews is the only tool that I can see that can help, but it scales so far.