fix: update mtime for generated files after unpacking #16250
Merged
+117
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
see rust-lang/cargo 16237
rustbot
added
A-registries
Collaborator
This is the unpacking half of rust-lang#16237 Updating mtime for all files might not be worthy as crate published after 1.54 should all have the deterministic mtime for non-generated files, except those did manual upload. This patch is aimed at fixing the "regression" of vendor direct extraction, rather than a complete fix of the non-deterministic mtime. Also there are workarounds, so the workflow is not completely blocked. Since Cargo had a couple CVEs around tar and unpack, I separate the mtime update logic from the main unpack logic, so that each function's intent is clearer. Hope it won't introduce new vulnerability
weihanglo
force-pushed
the
cargo-vendor-unpack
branch
from
c799b48 to
2f6852f
Compare
Member
Author
|
I love how the new typo= job show typos: |
epage
approved these changes
Nov 13, 2025
Contributor
Except why isn't that highlighting the typos span? |
Member
Author
Because I failed to copy that 😆. Here is the right diagnostic: |
rustbot
removed
the
S-waiting-on-review
bors
added a commit
to rust-lang/rust
that referenced
this pull request
Nov 19, 2025
Update cargo submodule 13 commits in 2d4fa139552ebdd5f091a1401ed03f7dc62cb43f..5c0343317ce45d2ec17ecf41eaa473a02d73e29c 2025-11-12 15:56:06 +0000 to 2025-11-18 19:05:44 +0000 - feat: emit a warning when both `package.publish` and `--index` are specified (rust-lang/cargo#16268) - docs(cargo-yank): clarify yank behavior with leaked credentials (rust-lang/cargo#16274) - feat(generate-lockfile): Add unstable --publish-time flag (rust-lang/cargo#16265) - Do not lock the artifact-dir for check builds (rust-lang/cargo#16230) - fix(fingerprint): force update mtime of cargo-check artifacts (rust-lang/cargo#16262) - fix(manifest): Point out when a key belongs to config (rust-lang/cargo#16256) - Use raw false during cfg test (rust-lang/cargo#16261) - Suppress metadata warnings for non–crates.io publishable packages (rust-lang/cargo#16241) - feat(tree): Support long forms for --format variables (rust-lang/cargo#16204) - fix(config): Fallback to non-canonical path for workspace-path-hash (rust-lang/cargo#16248) - fix: update mtime for generated files after unpacking (rust-lang/cargo#16250) - feat(cli): Add support for completing `--config` values in Bash (rust-lang/cargo#16245) - feat: Add a typos CI job (rust-lang/cargo#16122)
bors
added a commit
to rust-lang/rust
that referenced
this pull request
Nov 19, 2025
Update cargo submodule 13 commits in 2d4fa139552ebdd5f091a1401ed03f7dc62cb43f..5c0343317ce45d2ec17ecf41eaa473a02d73e29c 2025-11-12 15:56:06 +0000 to 2025-11-18 19:05:44 +0000 - feat: emit a warning when both `package.publish` and `--index` are specified (rust-lang/cargo#16268) - docs(cargo-yank): clarify yank behavior with leaked credentials (rust-lang/cargo#16274) - feat(generate-lockfile): Add unstable --publish-time flag (rust-lang/cargo#16265) - Do not lock the artifact-dir for check builds (rust-lang/cargo#16230) - fix(fingerprint): force update mtime of cargo-check artifacts (rust-lang/cargo#16262) - fix(manifest): Point out when a key belongs to config (rust-lang/cargo#16256) - Use raw false during cfg test (rust-lang/cargo#16261) - Suppress metadata warnings for non–crates.io publishable packages (rust-lang/cargo#16241) - feat(tree): Support long forms for --format variables (rust-lang/cargo#16204) - fix(config): Fallback to non-canonical path for workspace-path-hash (rust-lang/cargo#16248) - fix: update mtime for generated files after unpacking (rust-lang/cargo#16250) - feat(cli): Add support for completing `--config` values in Bash (rust-lang/cargo#16245) - feat: Add a typos CI job (rust-lang/cargo#16122)
bors
added a commit
to rust-lang/rust
that referenced
this pull request
Nov 19, 2025
Update cargo submodule 13 commits in 2d4fa139552ebdd5f091a1401ed03f7dc62cb43f..5c0343317ce45d2ec17ecf41eaa473a02d73e29c 2025-11-12 15:56:06 +0000 to 2025-11-18 19:05:44 +0000 - feat: emit a warning when both `package.publish` and `--index` are specified (rust-lang/cargo#16268) - docs(cargo-yank): clarify yank behavior with leaked credentials (rust-lang/cargo#16274) - feat(generate-lockfile): Add unstable --publish-time flag (rust-lang/cargo#16265) - Do not lock the artifact-dir for check builds (rust-lang/cargo#16230) - fix(fingerprint): force update mtime of cargo-check artifacts (rust-lang/cargo#16262) - fix(manifest): Point out when a key belongs to config (rust-lang/cargo#16256) - Use raw false during cfg test (rust-lang/cargo#16261) - Suppress metadata warnings for non–crates.io publishable packages (rust-lang/cargo#16241) - feat(tree): Support long forms for --format variables (rust-lang/cargo#16204) - fix(config): Fallback to non-canonical path for workspace-path-hash (rust-lang/cargo#16248) - fix: update mtime for generated files after unpacking (rust-lang/cargo#16250) - feat(cli): Add support for completing `--config` values in Bash (rust-lang/cargo#16245) - feat: Add a typos CI job (rust-lang/cargo#16122)
github-actions bot
pushed a commit
to rust-lang/miri
that referenced
this pull request
Nov 20, 2025
Update cargo submodule 13 commits in 2d4fa139552ebdd5f091a1401ed03f7dc62cb43f..5c0343317ce45d2ec17ecf41eaa473a02d73e29c 2025-11-12 15:56:06 +0000 to 2025-11-18 19:05:44 +0000 - feat: emit a warning when both `package.publish` and `--index` are specified (rust-lang/cargo#16268) - docs(cargo-yank): clarify yank behavior with leaked credentials (rust-lang/cargo#16274) - feat(generate-lockfile): Add unstable --publish-time flag (rust-lang/cargo#16265) - Do not lock the artifact-dir for check builds (rust-lang/cargo#16230) - fix(fingerprint): force update mtime of cargo-check artifacts (rust-lang/cargo#16262) - fix(manifest): Point out when a key belongs to config (rust-lang/cargo#16256) - Use raw false during cfg test (rust-lang/cargo#16261) - Suppress metadata warnings for non–crates.io publishable packages (rust-lang/cargo#16241) - feat(tree): Support long forms for --format variables (rust-lang/cargo#16204) - fix(config): Fallback to non-canonical path for workspace-path-hash (rust-lang/cargo#16248) - fix: update mtime for generated files after unpacking (rust-lang/cargo#16250) - feat(cli): Add support for completing `--config` values in Bash (rust-lang/cargo#16245) - feat: Add a typos CI job (rust-lang/cargo#16122)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR try to resolve?
This is the unpacking half of #16237
Updating mtime for all files might not be worthy as crate published
after 1.54 should all have the deterministic mtime for non-generated
files, except those did manual upload.
This patch is aimed at
fixing the "regression" of vendor direct extraction,
rather than a complete fix of the non-deterministic mtime.
Also there are workarounds,
so the workflow is not completely blocked.
Fixes #16237
How to test and review this PR?
Since Cargo had a couple CVEs around tar and unpack,
I separate the mtime update logic from the main unpack logic,
so that each function's intent is clearer.
Hope it won't introduce new vulnerability