Stream: git-wasmtime

Topic: wasmtime / PR #8278 Record cargo-vet violations for older...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 01 2024 at 21:05):

jameysharp opened PR #8278 from jameysharp:vet-violations to bytecodealliance:main:

When I tried to audit our previous exemption for zstd, I found two buffer overruns which were reachable from safe Rust, although not reachable from Wasmtime. I got them fixed upstream but didn't update our cargo-vet audits to reflect the issue with the older versions.

Alex updated our dependencies to pull in the fixed versions in #7870, and this PR notes for the benefit of anyone importing the Bytecode Alliance audit set that older versions should not be used.

See https://github.com/gyscos/zstd-rs/pull/231

view this post on Zulip Wasmtime GitHub notifications bot (Apr 01 2024 at 21:05):

jameysharp requested alexcrichton for a review on PR #8278.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 01 2024 at 21:05):

jameysharp requested wasmtime-default-reviewers for a review on PR #8278.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 01 2024 at 21:14):

jameysharp commented on PR #8278:

I'm confused by the CI failure here. I ran cargo vet locally and, although it complained about the new wasmtime-slab crate not having an audit-as-crates-io entry, it didn't complain about my actual changes. However I do get the same errors as in CI if I used cargo vet --locked; maybe the audit-as-crates-io thing masked the issue.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 01 2024 at 23:32):

alexcrichton submitted PR review:

I personally get pretty confused with the interfactions of our configuration and new crates we add. I think it's an unfortunate interaction by how when a new crate is added it's not published on crates.io but then later on once it gets published we need new configuration, but only after it's later been published. Or... something like that? I've never bottomed it out to fully understand what's happening here, I tend to just throw things at the wall and see what sticks.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 02 2024 at 17:20):

alexcrichton commented on PR #8278:

You may need to remove ~/.cache/cargo-vet, I just did that to resolve a difference I was seeing on CI as well

view this post on Zulip Wasmtime GitHub notifications bot (Aug 26 2024 at 19:25):

jameysharp updated PR #8278.

Last updated: Oct 23 2024 at 20:03 UTC