Am 28.10.22 um 18:09 schrieb Ben Greiner:
Hi,
Am 21.10.22 um 12:41 schrieb Dirk Müller:
Hi all,
William Brown, together with the SUSE Security team implemented a new enforcing check that enforces that "cargo_audit" is going to be used for rust built packages going forward.
seehttps://en.opensuse.org/openSUSE:Packaging_Rust_Software for details.
While announced here, this will be enforced globally as source-validator is shared between all distros, so please also watch out for failing maintenance updates for that reason.
Greetings, Dirk
So how are we supposed to handle the following?
INFO:obs-service-cargo_audit: Running OBS Source Service : obs-service-cargo_audit ERROR:obs-service-cargo_audit: possible vulnerabilties: 1 ERROR:obs-service-cargo_audit: /tmp/tmptxa26w30/pyrus-cramjam/Cargo.lock ERROR:obs-service-cargo_audit: For more information you SHOULD inspect the output of cargo audit manually ERROR:obs-service-cargo_audit: * RUSTSEC-2021-0131 -> crate: brotli-sys, cvss: None, class: ['memory-corruption'] ERROR:obs-service-cargo_audit: ⚠️ Vulnerabilities may have been found. You must review these.
Follow Up: I reported upstream and they did the right thing: remove the offending brotli2 with brotly-sys from the cargo. https://github.com/milesgranger/pyrus-cramjam/pull/87 - Ben