GNU bug report logs - #56895
rust-brotli-sys bundles (insecure!) brotli

Previous Next

To reply to this bug, email your comments to 56895 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: bug-guix <at> gnu.org
Subject: rust-brotli-sys bundles (insecure!) brotli
Date: Tue, 2 Aug 2022 20:06:31 +0200

[Message part 1 (text/plain, inline)]

I noticed rust-brotli-sys bundles brotli: 
<https://github.com/bitemyapp/brotli2-rs/blob/master/brotli-sys/build.rs#L16>.

The version it bundles is apparently insecure: 
<https://github.com/bitemyapp/brotli2-rs/issues/45>

As mentioned at <https://github.com/actix/actix-web/issues/2537>, there 
have been multiple PR updating it to new PR but they were abandoned, so 
it appears we have to remove rust-brotli-sys entirely (in favour of 
rust-brotli?) or merge one of them (or better: unbundle) things on our own.

Greetings,
Maxime.

[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #8 received at 56895 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Nicolas Goaziou <mail <at> nicolasgoaziou.fr>, 56895 <at> debbugs.gnu.org
Subject: Re: rust-brotli-sys bundles (insecure!) brotli
Date: Tue, 2 Aug 2022 20:13:46 +0200

[Message part 1 (text/plain, inline)]

Friendly reminder to the original patch author and committer (*) to 
check for bundling during review.

(*) 
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=52cc16b38b1b01b2bb354ed5510120856de15d39

Greetings,
Maxime.

[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]

[OpenPGP_signature (application/pgp-signature, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.