Closed Bug 1942216 Opened 21 days ago Closed 20 days ago

mach cargo vet/mach vendor rust fail after bug 1937808

Categories

(Core :: Security: PSM, defect)

defect

Tracking

()

RESOLVED FIXED
136 Branch
Tracking Status
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- unaffected
firefox136 --- fixed

People

(Reporter: glandium, Assigned: glandium)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

ERROR   × There are some issues with your policy.audit-as-crates-io entries

Error:   × Some non-crates.io-fetched packages match published crates.io versions
  │   osclientcerts:0.1.4
  help: Add a `policy.*.audit-as-crates-io` entry for them

This is not happening in the vendor task on CI because there we run cargo vet with --locked, which makes it not check crates on crates.io.

The problem is that there is a (yanked) crated on crates.io with the osclientcerts name, and that supply-chain needs an explicit indication that the in-tree crate is not, in fact, from crates.io or like a crate from crates.io.

Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 1937808

Pushed by mh@glandium.org: https://hg.mozilla.org/integration/autoland/rev/acdc7c2d4e3a Add a supply-chain policy for osclientcerts. r=keeler,supply-chain-reviewers
Status: ASSIGNED → RESOLVED
Closed: 20 days ago
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: