| 21 Oct 2025 |
 niklaskorz | tested two meson-based packages and they build fine | 22:04:06 |
| niklaskorz | so from my perspective there have been enough reference packages in the comments that show this is good to go as-is | 22:07:08 |
 Sandro 🐧 | nice, thank you | 22:41:13 |
| niklaskorz | let's give Alyssa Ross same more time to react but otherwise I'd merge it tomorrow | 23:03:49 |
| niklaskorz | In reply to @hexa:lossy.network
ugh, I'm rewriting that After going through the relevant Cargo.tomls in servo and mozjs I can only conclude that this is the correct behavior | 23:17:46 |
| niklaskorz | I don't have an answer yet why cargo metadata would try to fetch a dependency that's disabled by default though | 23:18:10 |
 hexa | there is --locked for cargo metadata, but mozjs doesn't lock anything | 23:20:26 |
| hexa | and --offline is likely going to fail, because it can't fetch? | 23:20:44 |
| hexa | * and --offline is likely going to fail, because it can't fetch | 23:20:45 |
| hexa | but that would imply patching cargo_metadata | 23:21:22 |
| hexa | * but that would imply patching cargo\_metadata | 23:21:26 |
| hexa | * but that would imply patching cargo_metadata | 23:21:28 |
| 22 Oct 2025 |
| niklaskorz | Seeing what's it used for, i.e., determining the include path inside another crate, it seems easier to just replace the whole detection instead (so just the invocation of that function) | 06:56:07 |
| niklaskorz | * Seeing what it's used for, i.e., determining the include path inside another crate, it seems easier to just replace the whole detection instead (so just the invocation of that function) | 06:56:30 |
| niklaskorz | testing that now, let's see | 07:52:35 |
| niklaskorz | it's still building so I guess that's a good sign | 08:10:06 |
 Alyssa Ross | thanks for the ping. I'll look today. Catching up after having been sick. | 09:30:07 |
| niklaskorz | * let's give Alyssa Ross some more time to react but otherwise I'd merge it tomorrow | 09:30:42 |
| niklaskorz | hexa: build passing 👀 | 09:34:58 |
| niklaskorz | 
Download grafik.png | 09:35:32 |
| niklaskorz | sending the diff as a PR review in a moment | 09:36:07 |
| 23 Oct 2025 |
| niklaskorz | https://nvd.nist.gov/vuln/detail/CVE-2025-62518 | 22:04:02 |
| niklaskorz | "tarmageddon" | 22:04:25 |
| niklaskorz | Doesn't really seem to be used outside uv fortunately (which was already bumped to the fixed release) | 22:08:43 |
| niklaskorz | Oh nvm we do have some other affected Rust packages (that don't have a fixed release) | 22:10:06 |
| niklaskorz | ripgrep-all at least | 22:11:37 |
| niklaskorz |
This security flaw affects not only projects using async-tar but also tokio-tar, an extremely popular fork with over 7 million downloads on crates.io that has also been abandoned.
| 22:13:27 |
| niklaskorz | oh no | 22:13:29 |
 Ben Sparks | could this be made into a ZHF sidequest? | 22:56:17 |
| hexa | you mean poking upstreams to relock? 😄 | 22:58:08 |
