`mach cargo vet` fails: some audit-as-crates-io packages don't match published crates.io versions zip:2.4.2
Categories
(Core :: General, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox151 | --- | fixed |
People
(Reporter: glandium, Assigned: glandium)
References
Details
Attachments
(1 file)
0:05.30 E Vet error: There are some issues with your policy.audit-as-crates-io entries
0:05.30 related error: some audit-as-crates-io packages don't match published crates.io versions
zip:2.4.2
0:05.30 Run `./mach cargo vet` for more information.
It's trivially fixed, but I don't understand why this wasn't causing problems until now. crates.io says zip 2.4.2 was published a year ago. It landed in our repo in July, and the audit-as-crates-io for zip was added in August. Nika, would you have an explanation?
|
Assignee | |
Comment 1•1 month ago
|
||
|
||
Comment 2•1 month ago
•
|
||
That error occurs if it can't find the package on crates.io, and there are no audits. We definitely have audits for zip, and obviously it's on crates.io as well. I'm looking into this.
|
||
Comment 3•1 month ago
|
||
It does appear that the zip crate is patched (in https://phabricator.services.mozilla.com/D259200), so flagging it as different from crates.io seems correct, but the patch is not recent, so it's not clear why it only became a problem recently.
|
|
Assignee | |
Comment 4•1 month ago
|
||
(In reply to Andy Leiserson [:aleiserson] from comment #3)
It does appear that the
zipcrate is patched (in https://phabricator.services.mozilla.com/D259200), so flagging it as different from crates.io seems correct, but the patch is not recent, so it's not clear why it only became a problem recently.
Wait, what? The fix should actually break things, shouldn't it?
|
|
||
Comment 5•1 month ago
|
||
Yes, there's something wrong here. I am handling an incident so I haven't had a chance to delve deeper yet. I believe the policy should be there.
|
|
||
Comment 6•1 month ago
|
||
Last week, the Cargo.toml in the repository for zip was edited to remove the .git suffix from repository and to remove a leading and trailing newline from description [Diff]. (Also, since that change was made, it has been published to crates.io.)
cargo-vet considers a crate to be "the same" as a crates.io crate if the description and repository in the crate metadata match. [Source]
So it seems the cargo-vet check that a crate "matches" the crates.io version isn't looking for byte equivalent source code like I had assumed. It just wants the description and repository to match. When that stopped being the case, cargo vet started raising this error. It never cared that the contents of third_party/rust/zip (other than specific Cargo.toml metadata, I guess) don't match the contents of the crates.io crate.
So, https://phabricator.services.mozilla.com/D289995 seems like a fine solution, other than maybe it would be good to leave a comment explaining why zip is not currently audit-as-crates-io (on the other hand, I suppose this bug can do that).
|
||
Updated•22 days ago
|
Description
•