I received a USN last night warning that my snap has rsync vulnerabilities. However, I can’t verify that my snap has it.
I ran snap run --shell ... and didn’t see rsync. My dependency list in the snapcraft.yaml file also doesn’t have rsync. I did build the snap with an Ubuntu that had the old rsync installed, but I don’t see any trace of it in my snap.
Am I still vulnerable? Is there another way I can check that I’m vulnerable?
EDIT: how can I tell that this vulnerability is real and not just appearing as metadata in the manifest.yaml file from when we built the snap?
If you’re using the Build Service at build.snapcraft.io or the Launchpad Builders at launchpad.net then the manifest.yaml will be accurate for the stage-packages that were actually staged into your snap. It might be that you remove some of the files after this step such as with the stage or prime keywords, but the manifest will still report the packages that provided those files as included.
@zjoseal If the package is in stage-packages but not in primed-stage-packages, it is because snapcraft recently starting tracking that you have included a stage package (or dependency) as part of the build, but did not ship it in the final snap. Eventually, as @jdstrand indicated, the notifications should be restricted to the packages detected as having been shipped in the snap (primed-stage-packages).
If the package in question is still listed in primed-stage-packages but was not shipped in the snap, please do let us know!
Hmmm. The rsync package is only under stage-packages, but I couldn’t fine a primed-stage-packages string anywhere in the manifest.yaml. How should I interpret this? Does this mean that none of my packages were shipped in the final snap?
I was thinking that primed-stage-packages feature was in the snapcraft version that it is published to the stable channel (v3.9), but it is not. It is available in candidate (v3.10) or edge. Sorry about the confusion!
@cjp256 (cc @sergiusens, @jdstrand) FYI the notification service is now evaluating the primed-stage-packages section if present in the snap manifest.yaml. For compatibility, it is still inspecting stage-packages whenever primed-stage-packages does not exist at all.
@zjoseal from now on, you should not receive this type of notifications for packages that are not eventually present in your snap.