On Thu, 7 Mar 2024 21:16:02 -0500, Kent Overstreet wrote: > On Tue, Jan 30, 2024 at 06:03:56PM +1100, David Disseldorp wrote: > > cargo audit can be used to check bcachefs dependencies for > > vulnerabilities published in the advisory database at > > https://github.com/RustSec/advisory-db.git > > > > Given the significant size of dependency sources (currently ~292M), > > manual audit is mostly unviable, so rely on this for now. > > Not a good place for this, workflow-wise; I run make-release-tarball.sh > after the new release is tagged and frequently after the tag is > uploaded. > > This would better be run as some sort of cron job that emails results to > the list when something is found.
Fair enough, will set something up as part of the downstream (openSUSE) release process.
