Hi, Am 21.10.22 um 12:41 schrieb Dirk Müller:
Hi all,
William Brown, together with the SUSE Security team implemented a new enforcing check that enforces that "cargo_audit" is going to be used for rust built packages going forward.
seehttps://en.opensuse.org/openSUSE:Packaging_Rust_Software for details.
While announced here, this will be enforced globally as source-validator is shared between all distros, so please also watch out for failing maintenance updates for that reason.
Greetings, Dirk
So how are we supposed to handle the following? [ben@skylab:…n:numeric/python-cramjam]% osc service runall [0] Already up to date. 29d9e3b4e1e116761637b7a0f3ac8830f2f1541b Identical target file pyrus-cramjam-2.6.0.tar.xz already exists, skipping.. INFO:obs-service-cargo_vendor:Running OBS Source Service: obs-service-cargo_vendor INFO:obs-service-cargo_vendor:Current work dir /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:numeric/python-cramjam INFO:obs-service-cargo_vendor:Searching for Cargo.toml in /tmp/tmpnyjnen_n/pyrus-cramjam INFO:obs-service-cargo_vendor:Detected Rust app directory: /tmp/tmpnyjnen_n/pyrus-cramjam INFO:obs-service-cargo_vendor:Updating deps before vendor INFO:obs-service-cargo_vendor:Running cargo update in directory: /tmp/tmpnyjnen_n/pyrus-cramjam INFO:obs-service-cargo_vendor:✅ cargo update success INFO:obs-service-cargo_vendor:Vendoring Cargo.toml deps to /tmp/tmpnyjnen_n/pyrus-cramjam/vendor INFO:obs-service-cargo_vendor:Running cargo vendor in directory: /tmp/tmpnyjnen_n/pyrus-cramjam INFO:obs-service-cargo_vendor:✅ cargo vendor success INFO:obs-service-cargo_vendor: Examples of how to modify your spec file to use vendored libraries can be found online: https://en.opensuse.org/Packaging_Rust_Software#Creating_the_Package WARNING: To avoid cargo install rebuilding the binary in the install stage all environment variables must be the same as in the build stage. INFO:obs-service-cargo_vendor:Starting compression ... INFO:obs-service-cargo_vendor:Success INFO:obs-service-cargo_audit: Running OBS Source Service : obs-service-cargo_audit ERROR:obs-service-cargo_audit: possible vulnerabilties: 1 ERROR:obs-service-cargo_audit: /tmp/tmptxa26w30/pyrus-cramjam/Cargo.lock ERROR:obs-service-cargo_audit: For more information you SHOULD inspect the output of cargo audit manually ERROR:obs-service-cargo_audit: * RUSTSEC-2021-0131 -> crate: brotli-sys, cvss: None, class: ['memory-corruption'] ERROR:obs-service-cargo_audit: ⚠️ Vulnerabilities may have been found. You must review these. Aborting: service call failed: /usr/lib/obs/service/cargo_audit --srcdir pyrus-cramjam --outdir /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:numeric/python-cramjam/tmpegree2c6.cargo_audit.service Thanks, Ben