debcrafters-packages team mailing list archive

[Simon Chopin <2111699@xxxxxxxxxxxxxxxxxx>]

** Also affects: dh-cargo (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Also affects: dh-cargo (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: dh-cargo (Ubuntu Oracular)
   Importance: Undecided
       Status: New

** Also affects: dh-cargo (Ubuntu Plucky)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to dh-cargo in Ubuntu.
https://bugs.launchpad.net/bugs/2111699

Title:
  dh-cargo-vendored-sources produces misleading XS-Vendored-Sources-Rust

Status in dh-cargo package in Ubuntu:
  Fix Released
Status in dh-cargo source package in Jammy:
  New
Status in dh-cargo source package in Noble:
  New
Status in dh-cargo source package in Oracular:
  New
Status in dh-cargo source package in Plucky:
  New

Bug description:
  On Jammy and Noble, dh-cargo-vendored-sources is not able to detect
  when the rust-vendor directory has been generated with cargo-vendor-
  filterer thus producing a XS-Vendored-Sources-Rust string that does
  not accurately reflect the rust dependencies. Specifically, XS-
  Vendored-Sources-Rust will include dependencies that have been
  selectively removed by cargo-vendor-filterer.

  This issue is fixed in plucky, but I think this fixed should be
  backported to prevent a rust package from being flagged by the
  security team if a CVE affects one of the dependencies that has been
  removed by dh-cargo-vendored-sources.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dh-cargo/+bug/2111699/+subscriptions