Public bug reported:
On Jammy and Noble, dh-cargo-vendored-sources is not able to detect when
the rust-vendor directory has been generated with cargo-vendor-filterer
thus producing a XS-Vendored-Sources-Rust string that does not
accurately reflect the rust dependencies. Specifically, XS-Vendored-
Sources-Rust will include dependencies that have been selectively
removed by cargo-vendor-filterer.
This issue is fixed in plucky, but I think this fixed should be
backported to prevent a rust package from being flagged by the security
team if a CVE affects one of the dependencies that has been removed by
dh-cargo-vendored-sources.
** Affects: dh-cargo (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2111699
Title:
dh-cargo-vendored-sources produces misleading XS-Vendored-Sources-Rust
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dh-cargo/+bug/2111699/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
