Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cargo.lock files are published for libraries #242

Closed
lfrancke opened this issue Mar 2, 2021 · 7 comments
Closed

Cargo.lock files are published for libraries #242

lfrancke opened this issue Mar 2, 2021 · 7 comments

Comments

@lfrancke
Copy link

lfrancke commented Mar 2, 2021

While investigating a security audit warning I found that the hashes libraries (I didn't check all) publish a Cargo.lock file which fixes the dependencies.

I thought this was not recommended for libraries.

Is this done on purpose for the hashes libraries?
@newpavlov
Copy link
Member

Hm, no it's not intended. I am not sure why lock files got included in the published packages. Configuration of this repository is similar to other repositories in this organization and at first glance other crates do not have this problem (I have checked aes v0.6, cmac v0.5, and some trait crates). Looking at the repository state from which one of problematic crates (sha2 v0.9.3) has been published, I don't see any suspicious differences. The only difference which I've noticed is that we specify [profile.dev] opt-level = 2 in root Cargo.toml of this repository, but I am not sure how would it result in publishing lock files by default.

@tarcieri
Any ideas?

@lfrancke
Copy link
Author

lfrancke commented Mar 2, 2021

Thank you for investigating.
I should have provided more details.
I looked at sha-1 in version 0.8.2 (and a few others) because it depends on block-buffer which in turn depends on generic-array which has a vulnerability https://rustsec.org/advisories/RUSTSEC-2020-0146.html

So we were eager to update generic-array and were surprised to find the Cargo.lock file.

@tarcieri
Copy link
Member

tarcieri commented Mar 2, 2021

I'm not sure why the Cargo.lock files got included, but regardless, it's orthogonal to your issue. AFAIK the only time they're used is with cargo install --locked (which only applies to [[bin]] crates)

@lfrancke
Copy link
Author

lfrancke commented Mar 2, 2021

Thanks @tarcieri - still learning a lot.
So far I always thought that having a Cargo.lock for a library would mean that those deps are being used.
In that case I'll have to continue my investigation.

@tarcieri
Copy link
Member

tarcieri commented Mar 2, 2021

The toplevel Cargo.lock file in your project will show the dependency resolution. You can also use cargo audit to lint for vulnerabilities.

@lfrancke
Copy link
Author

lfrancke commented Mar 2, 2021

Yep, cargo audit is what triggered all of this: fizyk20/generic-array#98
A new version has been released that fixes the issue.

That said: My confusion was because I didn't know about the different rules for 0.x.y versions where "x" is treated as "major" by Cargo.

Sorry for the noise, you were right that the Cargo.lock has nothing to do with my issue.
Not sure if you want to leave the issue open?

@tarcieri
Copy link
Member

tarcieri commented Mar 2, 2021
edited
Loading

I think we can close it.

It appears that publish-lockfile is automatically set to true for any crate that has examples, which is probably what's going on. See:

rust-lang/cargo#5654

@tarcieri tarcieri closed this as completed Mar 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tarcieri @lfrancke @newpavlov