rust-brotli-sys bundles (insecure!) brotli

Open

Details

One participant

Maxime Devos

Owner: unassigned

Submitted by: Maxime Devos

Severity: normal

Maxime Devos wrote on 2 Aug 2022 20:06

Recipients:(address . bug-guix@gnu.org)

Message-ID:54a7e640-ae14-6e6c-6877-35ddc6bb3e35@telenet.be

I noticed rust-brotli-sys bundles brotli: 
https://github.com/bitemyapp/brotli2-rs/blob/master/brotli-sys/build.rs#L16.

The version it bundles is apparently insecure: 
https://github.com/bitemyapp/brotli2-rs/issues/45

As mentioned at https://github.com/actix/actix-web/issues/2537, there 
have been multiple PR updating it to new PR but they were abandoned, so 
it appears we have to remove rust-brotli-sys entirely (in favour of 
rust-brotli?) or merge one of them (or better: unbundle) things on our own.

Greetings,
Maxime.

Attachment: OpenPGP_0x49E3EE22191725EE.asc

Attachment: OpenPGP_signature

Maxime Devos wrote on 2 Aug 2022 20:13

Recipients:

Message-ID:fbe3eac2-4740-8e5e-1317-84470947afbe@telenet.be

Friendly reminder to the original patch author and committer (*) to 
check for bundling during review.

(*) 
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=52cc16b38b1b01b2bb354ed5510120856de15d39

Greetings,
Maxime.

Attachment: OpenPGP_0x49E3EE22191725EE.asc

Attachment: OpenPGP_signature

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 56895@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 56895

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date