uv/crates/uv-extract at 2d5c166642dfa7b78b37db6bfcea70e1d06a954e - mirrors/uv

mirrors/uv

mirror of https://github.com/astral-sh/uv.git synced 2025-10-28 10:50:29 +00:00

History

Krishnan Chandra 4b4128446d Support xz compressed packages (#5513 ) ## Summary Closes #2187. The [xz backdoor](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27) is still fairly recent, but luckily the [Rust `xz2` crate bundles version 5.2.5 of the C `xz` package](https://github.com/alexcrichton/xz2-rs/tree/main/lzma-sys), which is before the backdoor was introduced. It's worth noting that a security risk still exists if you have a compromised version of `xz` installed on your system, but that risk is not introduced by `uv` or the Rust packages in general. ## Test Plan Tried installing the package mentioned in the linked issue: `python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.7.6/python-apt_2.7.6.tar.xz` (Note that this will only work on Ubuntu - I tried on a Mac and while the archive was extracted properly, the package did not install because of some missing files) --------- Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>	2024-07-28 18:37:48 +00:00
..
src	Support xz compressed packages (#5513 )	2024-07-28 18:37:48 +00:00
Cargo.toml	Support xz compressed packages (#5513 )	2024-07-28 18:37:48 +00:00

Krishnan Chandra 4b4128446d

## Summary

Closes #2187.

The [xz
backdoor](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27)
is still fairly recent, but luckily the [Rust `xz2` crate bundles
version 5.2.5 of the C `xz`
package](https://github.com/alexcrichton/xz2-rs/tree/main/lzma-sys),
which is before the backdoor was introduced.

It's worth noting that a security risk still exists if you have a
compromised version of `xz` installed on your system, but that risk is
not introduced by `uv` or the Rust packages in general.

## Test Plan

Tried installing the package mentioned in the linked issue: `python-apt
@
https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.7.6/python-apt_2.7.6.tar.xz`

(Note that this will only work on Ubuntu - I tried on a Mac and while
the archive was extracted properly, the package did not install because
of some missing files)

---------

Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>

2024-07-28 18:37:48 +00:00

src

Support xz compressed packages (#5513 )

2024-07-28 18:37:48 +00:00

Cargo.toml

Support xz compressed packages (#5513 )

2024-07-28 18:37:48 +00:00