On Thu, Jan 23, 2025 at 12:32 AM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > > I don't think supply chain security was really mentioned in the thread > yet (apologies if it was - I only scanned it). > > There's a real danger that if we forgo responsibility for reviewing > packages to another project, then someone can add a bad package to > that other project and it becomes a problem for Fedora. (npm is a > particularly egregious example.) > > And yes, I know that review in Fedora is not always very thorough, but > we should be aware of this and try not to make it worse. I agree, this is definitely a concern. Some people seem to think that "just use vendored dependencies" is a cheat code to avoid legal and technical review of the dependencies of an application, when in reality, the responsibility to check that vendored dependencies contain only permissible content is still on the package maintainer. (This is what imploded the NodeJS ecosystem after vendoring was made the default.) For Rust packages using vendored dependencies that are submitted for package review, I explicitly check that the contents of the "vendor tarball" contains only acceptable stuff. For example (not supply-chain related, but export restrictions related), the "fiat-crypto" crate contains some elliptic-curve cryptography that is not allowed to be shipped by Fedora. The "rust-fiat-crypto" package for this crate handles this correctly by re-packing the tarball without this code, and never uploading the original sources to fedora infra. But of course, running "cargo vendor" will just give you a copy of the fiat-crypto crate with all that stuff still in it - so this needs to be patched during creation of the "vendor tarball" before uploading it to fedora infra, too. But no such review is enforced ever again once the package has passed review. I doubt that all maintainers of using-vendored-dependencies packages (not specific to Rust) always do thorough reviews of vendored dependencies like that for every update - because it requires knowledge (that is often only "encoded" in the RPM packages for those dependencies), and additional, tedious work reviewing any changes in the dependencies. Fabio -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
