Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid altering signature for .cargo/vendor files #800

Merged
merged 1 commit into from
Mar 9, 2023
Merged

Avoid altering signature for .cargo/vendor files #800

merged 1 commit into from
Mar 9, 2023

Conversation

atoomic
Copy link
Contributor

@atoomic atoomic commented Dec 29, 2022

When using the content of the clamav tarball in a git repository to version a debian or RedHat package for example. We should never alter the files from cargo or this result in corrupted signature and thus we cannot install the files.

As the repo provides its own .gitattributes we cannot easily overwrite it without manually updating .git/info/attributes.

Alternatively we could remove the .gitattributes file from the tarball when generating it.

@atoomic
Copy link
Contributor Author

atoomic commented Dec 29, 2022

Note that the published tarballs contain .cargo/vendor files and at the same time a global .gitattributes (at the root) coming from https://github.com/Cisco-Talos/clamav/blob/main/.gitattributes#L3 which set explicitly * text=auto

This change is overwriting that policy for the content of libclamav_rust directory so rust files are not updated which could then result in invalid signature from the cargo-checksum.json files.

micahsnyder
micahsnyder requested changes Mar 7, 2023
View reviewed changes
libclamav_rust/.gitattributes Outdated Show resolved Hide resolved
@atoomic atoomic requested a review from micahsnyder March 8, 2023 17:36
@atoomic
Avoid altering signature for .cargo/vendor files
f5ef20e 
When using the content of the `clamav` tarball in a git repository to version a debian or RedHat package for example.
We should never alter the files from cargo or this result in corrupted signature and thus we cannot install the files.

As the repo provides its own `.gitattributes` we cannot easily overwrite it without manually updating `.git/info/attributes`.

Alternatively we could remove the `.gitattributes` file from the tarball when generating it.
@atoomic
Copy link
Contributor Author

atoomic commented Mar 8, 2023

I ve resubmitted using your suggestion

@micahsnyder micahsnyder merged commit 3710689 into Cisco-Talos:main Mar 9, 2023
@micahsnyder micahsnyder added the 🍒cherry-pick-candidate A PR that should be backported once approved. label Mar 9, 2023
@micahsnyder micahsnyder mentioned this pull request Mar 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@toddr toddr toddr left review comments

@micahsnyder micahsnyder micahsnyder approved these changes

Assignees
No one assigned
Labels
🍒cherry-pick-candidate A PR that should be backported once approved.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@atoomic @toddr @micahsnyder