Am 04.04.24 um 19:07 schrieb aplanas:
On 2024-04-04
15:47, Ben Greiner wrote:
[ben@skylab:…on:jupyter/python-pycrdt]%
head Cargo.lock
This Cargo.lock is one that is inside the vendor. Inserting this
file in the vendor tarball is a decision from the obs cargo_vendor
service, not from cargo vendor. This file should be present in
the upstream tarball.
In this case, the security issue seems to be in the pycrdt
project, that does not provide the expected Cargo.lock, so it is
not integrated in the pycrdt-0.8.17.tar.xz, that is where it
should be.
The tarball from PyPI contains a Cargo.lock file. Here we are again
with legitimate (!) differences from the github repo to release
tarballs.
But: It. Does. Not. Matter.
I maliciously changed vendor.tar.xz after creating the initial file
with the cargo_vendor service . No source validator or review bot on
obs would have detected that I committed something different than
what the service created. It probably should, but it is quite
expensive in terms of obs server resources.
[1]
https://github.com/openSUSE/obs-service-cargo_vendor?tab=readme-ov-file#what-is-inside-vendortarzstgzxz
[2] https://github.com/jupyter-server/pycrdt
- Ben