@sbeattie there's some context on those various fields in
https://github.com/cpaelzer/ubuntu-mir/pull/3
Basically X-Cargo-Built-Using should be folded into Built-Using. There
has been no talk of automating detection of packages that ought to have
those fields, but that does sound like a good idea.
However, in the case of rustc and any future main package built using
Rust, there are going to be vendored dependencies that are not packaged
at all. It doesn't seem like a good idea to me to document those in the
same fields as the dependencies that are separately packaged but
statically linked, which is why I proposed shipping the Cargo.lock file.
If you'd prefer, we could instead ship it in another field, maybe
X-Vendored-Sources (as mentioned before, Built-Using seems out of scope
for that). For instance, using this small Python snippet, I get this for
the Cargo.lock file shipped in rustc (Jammy):
$ zcat Cargo.lock.gz | python3 -c "import toml; import sys; print(',
'.join(f\"{p['name']}/{p['version']}\" for p in
toml.load(sys.stdin)['package'] if 'source' in p))"
addr2line/0.16.0, adler/1.0.2, aho-corasick/0.7.18, ammonia/3.1.0,
annotate-snippets/0.8.0, ansi_term/0.11.0, ansi_term/0.12.1,
anyhow/1.0.45, array_tool/1.0.3, arrayvec/0.7.2, atty/0.2.14,
autocfg/1.0.1, bitflags/1.3.2, block-buffer/0.7.3, block-buffer/0.9.0,
block-padding/0.1.5, bstr/0.2.13, byte-tools/0.3.1, bytecount/0.6.2,
byteorder/1.3.4, camino/1.0.5, cargo-platform/0.1.2,
cargo_metadata/0.12.0, cargo_metadata/0.14.1, cc/1.0.71, cfg-if/0.1.10,
cfg-if/1.0.0, chalk-derive/0.55.0, chalk-engine/0.55.0, chalk-ir/0.55.0,
chalk-solve/0.55.0, chrono/0.4.19, clap/2.33.3, cmake/0.1.44,
colored/2.0.0, compiler_builtins/0.1.53, compiletest_rs/0.7.1, cpuid-
bool/0.1.2, crc32fast/1.2.1, crossbeam-channel/0.5.1, crossbeam-
deque/0.7.4, crossbeam-deque/0.8.1, crossbeam-epoch/0.8.2, crossbeam-
epoch/0.9.5, crossbeam-queue/0.2.3, crossbeam-utils/0.7.2, crossbeam-
utils/0.8.5, cstr/0.2.8, ctor/0.1.15, datafrog/2.0.1, derive-new/0.5.8,
diff/0.1.12, difference/2.0.0, digest/0.8.1, digest/0.9.0, dirs/2.0.2,
dirs-next/2.0.0, dirs-sys/0.3.6, dirs-sys-next/0.1.2, dlmalloc/0.2.3,
either/1.6.1, elasticlunr-rs/2.3.9, ena/0.14.0, env_logger/0.7.1,
env_logger/0.8.4, expect-test/1.0.1, fake-simd/0.1.2, filetime/0.2.15,
fixedbitset/0.2.0, flate2/1.0.22, fnv/1.0.7, form_urlencoded/1.0.1,
fortanix-sgx-abi/0.3.3, fs-err/2.5.0, futf/0.1.4, generic-array/0.12.4,
generic-array/0.14.4, getopts/0.2.21, getrandom/0.1.14, getrandom/0.2.0,
gimli/0.25.0, glob/0.3.0, globset/0.4.5, globwalk/0.8.1, gsgdt/0.1.2,
handlebars/4.1.0, hashbrown/0.11.2, heck/0.3.3, hermit-abi/0.1.19,
hex/0.4.2, html5ever/0.25.1, humantime/1.3.0, humantime/2.0.1,
idna/0.2.3, if_chain/1.0.0, ignore/0.4.17, indexmap/1.7.0, indoc/1.0.3,
instant/0.1.12, itertools/0.9.0, itertools/0.10.1, itoa/0.4.8,
jobserver/0.1.24, jsonpath_lib/0.2.6, lazy_static/1.4.0, libc/0.2.107,
libm/0.1.4, lock_api/0.4.5, log/0.4.14, lzma-sys/0.1.16, mac/0.1.1,
macro-utils/0.1.3, maplit/1.0.2, markup5ever/0.10.0,
markup5ever_rcdom/0.1.0, matchers/0.0.1, matches/0.1.9, maybe-
uninit/2.0.0, md-5/0.9.1, mdbook/0.4.12, measureme/10.0.0, memchr/2.4.1,
memmap2/0.2.1, memoffset/0.5.5, memoffset/0.6.4, merge/0.1.0,
merge_derive/0.1.0, minifier/0.0.41, miniz_oxide/0.4.4, miow/0.3.7,
new_debug_unreachable/1.0.4, num-integer/0.1.43, num-traits/0.2.12,
num_cpus/1.13.0, object/0.26.2, odht/0.3.1, once_cell/1.8.0, opaque-
debug/0.2.3, opaque-debug/0.3.0, open/1.4.0, opener/0.5.0,
output_vt100/0.1.2, packed_simd_2/0.3.4, parking_lot/0.11.2,
parking_lot_core/0.8.5, pathdiff/0.2.0, percent-encoding/2.1.0, perf-
event-open-sys/1.0.1, pest/2.1.3, pest_derive/2.1.0,
pest_generator/2.1.3, pest_meta/2.1.3, petgraph/0.5.1, phf/0.8.0,
phf_codegen/0.8.0, phf_generator/0.8.0, phf_shared/0.8.0, pin-project-
lite/0.2.7, pkg-config/0.3.18, polonius-engine/0.13.0, ppv-lite86/0.2.8,
precomputed-hash/0.1.1, pretty_assertions/0.6.1, proc-macro-error/1.0.4,
proc-macro-error-attr/1.0.4, proc-macro2/1.0.32, psm/0.1.16, pulldown-
cmark/0.7.2, pulldown-cmark/0.8.0, punycode/0.4.1, quick-error/1.2.3,
quick-error/2.0.0, quine-mc_cluskey/0.2.4, quote/1.0.10, rand/0.7.3,
rand/0.8.4, rand_chacha/0.2.2, rand_chacha/0.3.0, rand_core/0.5.1,
rand_core/0.6.2, rand_hc/0.2.0, rand_hc/0.3.0, rand_pcg/0.2.1,
rand_xorshift/0.2.0, rand_xoshiro/0.6.0, rayon/1.5.1, rayon-core/1.9.1,
redox_syscall/0.2.10, redox_users/0.4.0, regex/1.5.4, regex-
automata/0.1.10, regex-syntax/0.6.25, remove_dir_all/0.5.3, rls-
data/0.19.1, rls-span/0.5.3, rustc-demangle/0.1.21, rustc-hash/1.1.0,
rustc-rayon/0.3.1, rustc-rayon-core/0.3.1, rustc-semver/1.1.0,
rustfix/0.5.1, rustfix/0.6.0, rustversion/1.0.5, ryu/1.0.5, same-
file/1.0.6, scoped-tls/1.0.0, scopeguard/1.1.0, semver/0.11.0,
semver/1.0.4, semver-parser/0.10.2, serde/1.0.130, serde_derive/1.0.130,
serde_json/1.0.69, sha-1/0.8.2, sha-1/0.9.1, sha2/0.9.1, sharded-
slab/0.1.4, shell-escape/0.1.5, shlex/1.0.0, siphasher/0.3.3,
smallvec/1.7.0, snap/1.0.5, stable_deref_trait/1.2.0, stacker/0.1.14,
string_cache/0.8.0, string_cache_codegen/0.5.1, strsim/0.8.0,
structopt/0.3.16, structopt-derive/0.4.9, strum/0.18.0,
strum_macros/0.18.0, syn/1.0.81, synstructure/0.12.6, tar/0.4.37,
tempfile/3.2.0, tendril/0.4.1, tera/1.10.0, term/0.6.1, term/0.7.0,
termcolor/1.1.2, termize/0.1.1, tester/0.9.0, textwrap/0.11.0,
thiserror/1.0.20, thiserror-impl/1.0.20, thread_local/1.1.3,
time/0.1.43, tinyvec/1.5.0, tinyvec_macros/0.1.0, toml/0.5.7,
tracing/0.1.29, tracing-attributes/0.1.18, tracing-core/0.1.21, tracing-
log/0.1.2, tracing-serde/0.1.2, tracing-subscriber/0.2.25, tracing-
tree/0.1.10, typenum/1.12.0, ucd-parse/0.1.8, ucd-trie/0.1.3, unic-char-
property/0.9.0, unic-char-range/0.9.0, unic-common/0.9.0, unic-emoji-
char/0.9.0, unic-ucd-version/0.9.0, unicase/2.6.0, unicode-bidi/0.3.7,
unicode-normalization/0.1.19, unicode-script/0.5.3, unicode-
security/0.0.5, unicode-segmentation/1.8.0, unicode-width/0.1.8,
unicode-xid/0.2.2, unicode_categories/0.1.1, unified-diff/0.2.1,
unindent/0.1.7, url/2.2.2, utf-8/0.7.5, vec_map/0.8.2,
version_check/0.9.3, walkdir/2.3.2, wasi/0.9.0+wasi-snapshot-preview1,
winapi/0.3.9, winapi-i686-pc-windows-gnu/0.4.0, winapi-util/0.1.5,
winapi-x86_64-pc-windows-gnu/0.4.0, xattr/0.2.2, xml5ever/0.16.1,
xz2/0.1.6, yaml-rust/0.3.5, yansi-term/0.1.2
The 'if source in p' statement filters out crates that are internal to
rustc. Surprinsingly, the remaining rustc-* crates are separately
packaged forks of existing crates.
Would the security team feel more comfortable with this?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1957932
Title:
[MIR] rustc, cargo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1957932/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
