Closed
Bug 1942216
Opened 21 days ago
Closed 20 days ago
mach cargo vet/mach vendor rust fail after bug 1937808
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
136 Branch
Tracking | Status | |
---|---|---|
firefox-esr128 | --- | unaffected |
firefox134 | --- | unaffected |
firefox135 | --- | unaffected |
firefox136 | --- | fixed |
People
(Reporter: glandium, Assigned: glandium)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
ERROR × There are some issues with your policy.audit-as-crates-io entries
Error: × Some non-crates.io-fetched packages match published crates.io versions
│ osclientcerts:0.1.4
help: Add a `policy.*.audit-as-crates-io` entry for them
This is not happening in the vendor task on CI because there we run cargo vet
with --locked
, which makes it not check crates on crates.io.
The problem is that there is a (yanked) crated on crates.io with the osclientcerts name, and that supply-chain needs an explicit indication that the in-tree crate is not, in fact, from crates.io or like a crate from crates.io.
Assignee | ||
Comment 1•21 days ago
|
||
Updated•21 days ago
|
Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED
Comment 2•21 days ago
|
||
Set release status flags based on info from the regressing bug 1937808
status-firefox134:
--- → unaffected
status-firefox135:
--- → unaffected
status-firefox136:
--- → affected
status-firefox-esr128:
--- → unaffected
Pushed by mh@glandium.org:
https://hg.mozilla.org/integration/autoland/rev/acdc7c2d4e3a
Add a supply-chain policy for osclientcerts. r=keeler,supply-chain-reviewers
Comment 4•20 days ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 20 days ago
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•