debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #00731
[Bug 2111699] Re: dh-cargo-vendored-sources produces misleading XS-Vendored-Sources-Rust
More fixes are needed to the plucky dh-cargo-vendor detection code
before that's possible, as it stands we know it breaks certain crates. I
have a patch from Zixing that fixes that but it needs to land in
questing first.
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to dh-cargo in Ubuntu.
https://bugs.launchpad.net/bugs/2111699
Title:
dh-cargo-vendored-sources produces misleading XS-Vendored-Sources-Rust
Status in dh-cargo package in Ubuntu:
New
Bug description:
On Jammy and Noble, dh-cargo-vendored-sources is not able to detect
when the rust-vendor directory has been generated with cargo-vendor-
filterer thus producing a XS-Vendored-Sources-Rust string that does
not accurately reflect the rust dependencies. Specifically, XS-
Vendored-Sources-Rust will include dependencies that have been
selectively removed by cargo-vendor-filterer.
This issue is fixed in plucky, but I think this fixed should be
backported to prevent a rust package from being flagged by the
security team if a CVE affects one of the dependencies that has been
removed by dh-cargo-vendored-sources.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dh-cargo/+bug/2111699/+subscriptions
References