Closed bholley closed 5 months ago
afranchuk
commented
6 months ago I believe so after reading the code, and will verify with a potential fix shortly. As it currently exists, local and remote wildcard audits are put together in a single enum variant when ordering, so that may explain the resulting behavior.
mystor
commented
6 months ago Another option here might be for us to include a mechanism by which you can identify your repository's "public url" (for m-c that'd be "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"), which would prevent an audit with that aggregated-from URI from being imported, avoiding the cyclic import issue when an entry is removed (though generally removing entries is unsupported).
bholley
commented
6 months ago This issue only comes up when you're removing an audit but are still using it (causing it to be re-imported). I think if we just make sure to always prioritize local audits over remote ones, we should never hit the case where we re-import an audit that could otherwise be dropped.
mystor
commented
6 months ago The reason why it came up in this situation is that a fresh wildcard audit is always somewhat remote (as it requires importing a publisher entry), and there is no differentiation in the resolver right now between a wildcard audit which is partially remote vs. fully remote (which I am guessing is what @afranchuk is proposing adding).
I just figured I'd mention the aggregated-from option because otherwise it would be possible for someone to remove an audit (which they shouldn't be doing, but i'm sure someone will do from time to time), and then have their audits start failing later when aggregation is complete.
bholley
commented
6 months ago I see. That's a fair point, but I'd still opt not to add a user-facing configuration field for such an edge case.
afranchuk
commented
6 months ago I have a script which easily reproduces this problem, and have a set of changes which fixes it. Or half-fixes it: after a cargo vet certify --wildcard it'll still have the old import (which is not "fresh" at that point, having been imported when the mozilla import was added), but subsequent operations prompt the user to prune (and it does remove the unneeded import). I'm wondering whether this is acceptable and desirable behavior? If so, I can convert the state of my test script into a unit test and push up a PR.
bholley
commented
6 months ago That sound fine to me, I think that's consistent with other behavior around e.g. exemptions (certify doesn't implicitly prune).
Over on mozilla-central, @jrmuizel and @glandium identified an interesting issue where Jeff was trying to replace a regular audit with a wildcard audit. Rather than reifying the local wildcard audit, cargo-vet instead re-fetches the locally-deleted regular audit from the aggregated mozilla-wide set and re-inserts it as an import.
I'm assuming this is because the precedence order is currently:
Ideally we'd swap 2 and 3.
@afranchuk Is my hypothesis correct?