Closed Bug 1842331 Opened 2 years ago Closed 2 years ago

./mach cargo vet: There are some issues with your policy.audit-as-crates-io entries

Categories

(Firefox Build System :: General, defect)

Product:
Firefox Build System
Component:
General
Type:
defect

Tracking

(firefox-esr102 unaffected, firefox-esr115 unaffected, firefox115 unaffected, firefox116 wontfix, firefox117 fixed)

Status:
RESOLVED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox115 --- unaffected
firefox116 --- wontfix
firefox117 --- fixed

People

(Reporter: jrmuizel, Assigned: glandium)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1842331 - Add policy.mozilla-central-workspace-hack.audit-as-crates-io.
48 bytes, text/x-phabricator-request
Details | Review

I get the following when trying to run ./mach cargo vet

 0:24.22 Vet error: There are some issues with your policy.audit-as-crates-io entries
 0:24.44  related error: Some non-crates.io-fetched packages match published crates.io versions
  mozilla-central-workspace-hack:0.1.0

This seems to have been caused by bug 1838354

Keywords: regression
Regressed by: 1838354
Flags: needinfo?(mh+mozilla)

Set release status flags based on info from the regressing bug 1838354

status-firefox115: --- → unaffected
status-firefox116: --- → affected
status-firefox117: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr115: --- → unaffected

Bobby, can we get to the bottom of why this is happening for some people and not others? (Jeff, I suppose you're running on Windows?)

Flags: needinfo?(mh+mozilla) → needinfo?(bholley)
Flags: needinfo?(bholley) → needinfo?(nika)

There is a published version of mozilla-central-workspace-hack on crates.io which appears to have been published by you on June 15th (https://crates.io/crates/mozilla-central-workspace-hack). This version has the same "description" as the local crate, so should be considered to match, requiring an audit-as-crates-io = false in the policy table (https://searchfox.org/mozilla-central/rev/6220909421e5cdb2e706a87f77ba7c6f4f21e4d0/supply-chain/config.toml#107-109).

I'm unsure why this wouldn't be appearing for some people. Theoretically this should be appearing for all people who run ./mach cargo vet locally (I also see it as well). Are you not seeing this show up locally? I wonder if you're ending up with an older version of cargo-vet or similar?

Flags: needinfo?(nika) → needinfo?(mh+mozilla)

Yeah, I'm not seeing it locally.

$ ./mach cargo vet -- --version
cargo-vet 0.8.0

Are you on Windows?

Flags: needinfo?(mh+mozilla) → needinfo?(nika)

I was able to reproduce on another machine on Linux. I'm baffled...

(In reply to Mike Hommey [:glandium] from comment #4)

Yeah, I'm not seeing it locally.

$ ./mach cargo vet -- --version
cargo-vet 0.8.0

Are you on Windows?

I tested locally on Linux. I'm curious what your crates-io-cache looks like (cargo-vet might have some cache invalidation issue for the description/repository metadata), could you try running:

jq '.crates["mozilla-central-workspace-hack"]' ~/.cache/cargo-vet/crates-io-cache.json
Flags: needinfo?(nika) → needinfo?(mh+mozilla)

Figured on matrix: there is some cache invalidation issue.

Flags: needinfo?(mh+mozilla)
Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED
Pushed by mh@glandium.org: https://hg.mozilla.org/integration/autoland/rev/500b5babd3f3 Add policy.mozilla-central-workspace-hack.audit-as-crates-io. r=supply-chain-reviewers,bholley

https://hg.mozilla.org/mozilla-central/rev/500b5babd3f3

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox117: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: