obs-service-source-validator will enforce cargo-audit going forward
Hi all, William Brown, together with the SUSE Security team implemented a new enforcing check that enforces that "cargo_audit" is going to be used for rust built packages going forward. see https://en.opensuse.org/openSUSE:Packaging_Rust_Software for details. While announced here, this will be enforced globally as source-validator is shared between all distros, so please also watch out for failing maintenance updates for that reason. Greetings, Dirk
On 21/10/2022 12:41, Dirk Müller wrote:
Hi all,
William Brown, together with the SUSE Security team implemented a new enforcing check that enforces that "cargo_audit" is going to be used for rust built packages going forward.
see https://en.opensuse.org/openSUSE:Packaging_Rust_Software for details.
While announced here, this will be enforced globally as source-validator is shared between all distros, so please also watch out for failing maintenance updates for that reason.
Greetings, Dirk
I think this last update in the validators broke my osc: Traceback (most recent call last): File "/usr/lib/obs/service/source_validators/80-rust-enforce-audit-capability", line 148, in <module> main() File "/usr/lib/obs/service/source_validators/80-rust-enforce-audit-capability", line 129, in main specfiles = Path(args.srcdir).glob("*.spec") File "/usr/lib64/python3.10/pathlib.py", line 960, in __new__ self = cls._from_parts(args) File "/usr/lib64/python3.10/pathlib.py", line 594, in _from_parts drv, root, parts = self._parse_args(args) File "/usr/lib64/python3.10/pathlib.py", line 578, in _parse_args a = os.fspath(a) TypeError: expected str, bytes or os.PathLike object, not NoneType -- David Anes <david.anes@suse.com>
Hi David, Am Fr., 21. Okt. 2022 um 13:16 Uhr schrieb David Anes <david.anes@suse.com>:
I think this last update in the validators broke my osc:
I hit this as well, it should be fixed now. If not, please let me know and file a bug report with more details. Greetings, Dirk
Hi, Am 21.10.22 um 12:41 schrieb Dirk Müller:
Hi all,
William Brown, together with the SUSE Security team implemented a new enforcing check that enforces that "cargo_audit" is going to be used for rust built packages going forward.
seehttps://en.opensuse.org/openSUSE:Packaging_Rust_Software for details.
While announced here, this will be enforced globally as source-validator is shared between all distros, so please also watch out for failing maintenance updates for that reason.
Greetings, Dirk
So how are we supposed to handle the following? [ben@skylab:…n:numeric/python-cramjam]% osc service runall [0] Already up to date. 29d9e3b4e1e116761637b7a0f3ac8830f2f1541b Identical target file pyrus-cramjam-2.6.0.tar.xz already exists, skipping.. INFO:obs-service-cargo_vendor:Running OBS Source Service: obs-service-cargo_vendor INFO:obs-service-cargo_vendor:Current work dir /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:numeric/python-cramjam INFO:obs-service-cargo_vendor:Searching for Cargo.toml in /tmp/tmpnyjnen_n/pyrus-cramjam INFO:obs-service-cargo_vendor:Detected Rust app directory: /tmp/tmpnyjnen_n/pyrus-cramjam INFO:obs-service-cargo_vendor:Updating deps before vendor INFO:obs-service-cargo_vendor:Running cargo update in directory: /tmp/tmpnyjnen_n/pyrus-cramjam INFO:obs-service-cargo_vendor:✅ cargo update success INFO:obs-service-cargo_vendor:Vendoring Cargo.toml deps to /tmp/tmpnyjnen_n/pyrus-cramjam/vendor INFO:obs-service-cargo_vendor:Running cargo vendor in directory: /tmp/tmpnyjnen_n/pyrus-cramjam INFO:obs-service-cargo_vendor:✅ cargo vendor success INFO:obs-service-cargo_vendor: Examples of how to modify your spec file to use vendored libraries can be found online: https://en.opensuse.org/Packaging_Rust_Software#Creating_the_Package WARNING: To avoid cargo install rebuilding the binary in the install stage all environment variables must be the same as in the build stage. INFO:obs-service-cargo_vendor:Starting compression ... INFO:obs-service-cargo_vendor:Success INFO:obs-service-cargo_audit: Running OBS Source Service : obs-service-cargo_audit ERROR:obs-service-cargo_audit: possible vulnerabilties: 1 ERROR:obs-service-cargo_audit: /tmp/tmptxa26w30/pyrus-cramjam/Cargo.lock ERROR:obs-service-cargo_audit: For more information you SHOULD inspect the output of cargo audit manually ERROR:obs-service-cargo_audit: * RUSTSEC-2021-0131 -> crate: brotli-sys, cvss: None, class: ['memory-corruption'] ERROR:obs-service-cargo_audit: ⚠️ Vulnerabilities may have been found. You must review these. Aborting: service call failed: /usr/lib/obs/service/cargo_audit --srcdir pyrus-cramjam --outdir /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:numeric/python-cramjam/tmpegree2c6.cargo_audit.service Thanks, Ben
Am 28.10.22 um 18:09 schrieb Ben Greiner:
Hi,
Am 21.10.22 um 12:41 schrieb Dirk Müller:
Hi all,
William Brown, together with the SUSE Security team implemented a new enforcing check that enforces that "cargo_audit" is going to be used for rust built packages going forward.
seehttps://en.opensuse.org/openSUSE:Packaging_Rust_Software for details.
While announced here, this will be enforced globally as source-validator is shared between all distros, so please also watch out for failing maintenance updates for that reason.
Greetings, Dirk
So how are we supposed to handle the following?
INFO:obs-service-cargo_audit: Running OBS Source Service : obs-service-cargo_audit ERROR:obs-service-cargo_audit: possible vulnerabilties: 1 ERROR:obs-service-cargo_audit: /tmp/tmptxa26w30/pyrus-cramjam/Cargo.lock ERROR:obs-service-cargo_audit: For more information you SHOULD inspect the output of cargo audit manually ERROR:obs-service-cargo_audit: * RUSTSEC-2021-0131 -> crate: brotli-sys, cvss: None, class: ['memory-corruption'] ERROR:obs-service-cargo_audit: ⚠️ Vulnerabilities may have been found. You must review these.
Follow Up: I reported upstream and they did the right thing: remove the offending brotli2 with brotly-sys from the cargo. https://github.com/milesgranger/pyrus-cramjam/pull/87 - Ben
participants (3)
-
Ben Greiner -
David Anes -
Dirk Müller