On 2024-04-04 13:55, Ben Greiner wrote:
But what if you also modify the hash in Cargo.lock?
You will see a patch doing that, if not that means that the tgz has been modified.
This all makes naive attack more evident, but AFAIK I still did not see any idea that will protect us for the kind of attack that XZ suffered, when a rogue maintainer sing compromised upstream tarballs, nor as commented, when a OBS package maintainer decides to add a backdoor in the package.
Atri's, argument from the beginning.
That will be a solution for the OBS case, not for the XZ one.
Reviews is the only tool that I can see that can help, but it scales so far.
Again, who reviews vendor.tar.xz? I suspect nobody.
As commented, cargo itself. To change the lock file you need to change the original tarball, and it will (maybe) make the package source verifier[1] to fail. [1] https://en.opensuse.org/openSUSE:Package_source_verification