From: Andreas Gruenbacher on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3880#note_2530774504
This downloads bindgen-cli.crate from crates.io without verifying that the file obtained matches what was requested. The package is then built inside the build environment. This means that the entire kernel build is under full control of crates.io, which could inject arbitrary code. During the kernel build, the cargo tool is now used as well, so it needs to be added to BuildRequires. Overall though, I would very much prefer not to package bindgen-cli with the kernel and to turn off Rust support in releases that don't provide the necessary infrastructure. In those environments, Rust support surely doesn't matter now, and it also won't matter anytime soon, either. -- _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
