Am 04.04.24 um 15:38 schrieb aplanas:
On 2024-04-04 13:18, Ben Greiner wrote:
But is this actually executed? Does a bot, not to say a reviewer, really look into vendor.tar.xz and try to reproduce it? I am not too deep into rust packaging, but does cargo_vendor actually create reproducible archives based on the lock files or can vendored packages jump in version?
`cargo vendor` creates the vendor directory that later is compressed by the osc service. If you manually change the content here of later (with a patch), the hash will be different and `cargo build` will complain when comparing with Cargo.lock. To patch a vendored crate you need to annotate it via [patch.crates-io].
But what if you also modify the hash in Cargo.lock? `cargo build` (or python-maturin) during rpmbuild inside OBS has no network connectivity and cannot check against trusted rust repositories. Is there a service/bot on obs that checks for compliance with published crates while connected to network?
This all makes naive attack more evident, but AFAIK I still did not see any idea that will protect us for the kind of attack that XZ suffered, when a rogue maintainer sing compromised upstream tarballs, nor as commented, when a OBS package maintainer decides to add a backdoor in the package.
Atri's, argument from the beginning.
Reviews is the only tool that I can see that can help, but it scales so far.
Again, who reviews vendor.tar.xz? I suspect nobody. - Ben