From 166fc915db633239b98a148de3a6a52740bc996c Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 18 Jun 2026 08:21:33 +0200
Subject: [PATCH 1/3] gha: disable "Trusted" Publishing flows temporarily

These are actually far more dangerous than you would expect and while I
was never fully comfortable with allowing GitHub to publish releases on
my behalf, the recent supply chain attacks (such as Mini Shai-Hulud)
kind of show that doing this is a really bad idea.

It would be great if crates.io and PyPI provided a way for you to sign
releases with your own key that is on some kind of hardware-backed
device, but sadly those don't really exist (detached PGP signatures in
PyPI are useless and PEP 480 has stalled, while crates.io just straight
up has no mechanism for actual signing?!).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 .github/workflows/bindings-python.yml |  2 +-
 .github/workflows/rust.yml            |  2 +-
 CHANGELOG.md                          | 17 +++++++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/bindings-python.yml b/.github/workflows/bindings-python.yml
index 14cb5427..6982b0ff 100644
--- a/.github/workflows/bindings-python.yml
+++ b/.github/workflows/bindings-python.yml
@@ -145,7 +145,7 @@ jobs:
 
   # TODO: Should we move this to a separate workflow?
   release-pypi:
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    if: false && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     needs:
       - build-pyproject
       - python-complete
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index ef5e86dc..2186ffd5 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -657,7 +657,7 @@ jobs:
       - run: echo "Rust CI jobs completed successfully."
 
   release-crate:
-    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    if: false && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     needs:
       - rust-complete
     runs-on: ubuntu-latest
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 68cb86e2..ed46d223 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,23 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased] ##
 
+> [!IMPORTANT]
+> Due to the rising tide of supply chain attacks, we have stopped using
+> "Trusted" Publishing for our crates.io and PyPi releases. Their
+> UIs imply that such releases are "more trusted" but as the recent attacks
+> have shown, they actually grant your code forge's *entire infrastructure* the
+> right to release things on your behalf.
+>
+> It would be nice if `crates.io` and PyPI supported a proper signing model
+> where developers control their keys, but that is sadly not the case today.
+> For PyPI, [detached PGP keys in PyPI are basically security
+> theatre][pypi-sigs-2023] and [PEP 480][PEP-480] has stalled; for `crates.io`
+> there appears to be *no* mechanism for signing your releases with a key you
+> control directly!
+
+[pypi-sigs-2023]: https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless
+[PEP-480]: https://peps.python.org/pep-0480/
+
 ### Breaking ###
 * `pathrs_inroot_hardlink` and `pathrs_inroot_symlink` have been switched to
   using the standard argument order from their respective system calls

From 080908395e75a32a5c4dbe9b318bf93643429f9f Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 18 Jun 2026 00:34:46 +0200
Subject: [PATCH 2/3] VERSION: release v0.2.5

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 CHANGELOG.md                           | 22 ++++++++++++++++------
 Cargo.lock                             |  2 +-
 Cargo.toml                             |  2 +-
 contrib/bindings/python/pyproject.toml |  2 +-
 4 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ed46d223..b2c18fa8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased] ##
 
+## [0.2.5] - 2026-06-17 ##
+
+> Or, to save on postage, I'll just poison him with this!
+
 > [!IMPORTANT]
 > Due to the rising tide of supply chain attacks, we have stopped using
 > "Trusted" Publishing for our crates.io and PyPi releases. Their
@@ -77,11 +81,16 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Fixed ###
 - Containers often have `/proc/sys` overmounted with a read-only mount to avoid
-  container escapes, this caused:
-  - The `O_PATH` resolver to panic because the hardened procfs lookup for
-    `/proc/sys/fs/protected_symlinks` would fail. We now conservatively assume
-    that `fs.protected_symlinks` is enabled if we cannot access the file for
-    any reason.
+  container escapes, this caused the `O_PATH` resolver to panic because the
+  hardened procfs lookup for `/proc/sys/fs/protected_symlinks` would fail. We
+  now conservatively assume that `fs.protected_symlinks` is enabled if we
+  cannot access the file for any reason.
+
+  This also causes attempts to access `/proc/sys` files using `ProcfsHandle` to
+  also fail (by design). In the future we plan to provide some quality-of-life
+  improvements to permit access in those cases, but at the moment users need to
+  be aware that those kinds of accesses can fail.
+
 - `Root::readlink` and `ProcfsHandle::readlink` would previously return
   `ENOENT` if the target path existed but was not a symlink. This occurred
   because of a peculiar asymmetry in the kernel APIs for `readlinkat(2)`, but
@@ -768,7 +777,8 @@ Initial release.
   - C FFI.
   - Python bindings.
 
-[Unreleased]: https://github.com/cyphar/libpathrs/compare/v0.2.4...HEAD
+[Unreleased]: https://github.com/cyphar/libpathrs/compare/v0.2.5...HEAD
+[0.2.5]: https://github.com/cyphar/libpathrs/compare/v0.2.4...v0.2.5
 [0.2.4]: https://github.com/cyphar/libpathrs/compare/v0.2.3...v0.2.4
 [0.2.3]: https://github.com/cyphar/libpathrs/compare/v0.2.2...v0.2.3
 [0.2.2]: https://github.com/cyphar/libpathrs/compare/v0.2.1...v0.2.2
diff --git a/Cargo.lock b/Cargo.lock
index 6f4bc8bc..925658ef 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -363,7 +363,7 @@ checksum = "17359afc20d7ab31fdb42bb844c8b3bb1dabd7dcf7e68428492da7f16966fcef"
 
 [[package]]
 name = "pathrs"
-version = "0.2.4+dev"
+version = "0.2.5"
 dependencies = [
  "anyhow",
  "bitflags 2.13.0",
diff --git a/Cargo.toml b/Cargo.toml
index 54556ee3..d944ee4f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -31,7 +31,7 @@
 
 [package]
 name = "pathrs"
-version = "0.2.4+dev"
+version = "0.2.5"
 license = "MPL-2.0 OR LGPL-3.0-or-later"
 authors = ["Aleksa Sarai <cyphar@cyphar.com>"]
 
diff --git a/contrib/bindings/python/pyproject.toml b/contrib/bindings/python/pyproject.toml
index 0cd35d99..4b8fb371 100644
--- a/contrib/bindings/python/pyproject.toml
+++ b/contrib/bindings/python/pyproject.toml
@@ -21,7 +21,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "pathrs"
 # TODO: Figure out a way to keep this version up-to-date with Cargo.toml.
-version = "0.2.4+dev"
+version = "0.2.5"
 description = "Python bindings for libpathrs, a safe path resolution library for Linux."
 readme = "README.md"
 keywords = ["libpathrs", "pathrs"]

From 91df82a8ff294b33c0dea3bb9c5c8c696ec7d50a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 18 Jun 2026 00:35:18 +0200
Subject: [PATCH 3/3] VERSION: back to development

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 Cargo.lock                             | 2 +-
 Cargo.toml                             | 2 +-
 contrib/bindings/python/pyproject.toml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 925658ef..d7dd26b1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -363,7 +363,7 @@ checksum = "17359afc20d7ab31fdb42bb844c8b3bb1dabd7dcf7e68428492da7f16966fcef"
 
 [[package]]
 name = "pathrs"
-version = "0.2.5"
+version = "0.2.5+dev"
 dependencies = [
  "anyhow",
  "bitflags 2.13.0",
diff --git a/Cargo.toml b/Cargo.toml
index d944ee4f..2955cf0c 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -31,7 +31,7 @@
 
 [package]
 name = "pathrs"
-version = "0.2.5"
+version = "0.2.5+dev"
 license = "MPL-2.0 OR LGPL-3.0-or-later"
 authors = ["Aleksa Sarai <cyphar@cyphar.com>"]
 
diff --git a/contrib/bindings/python/pyproject.toml b/contrib/bindings/python/pyproject.toml
index 4b8fb371..aee9ff82 100644
--- a/contrib/bindings/python/pyproject.toml
+++ b/contrib/bindings/python/pyproject.toml
@@ -21,7 +21,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "pathrs"
 # TODO: Figure out a way to keep this version up-to-date with Cargo.toml.
-version = "0.2.5"
+version = "0.2.5+dev"
 description = "Python bindings for libpathrs, a safe path resolution library for Linux."
 readme = "README.md"
 keywords = ["libpathrs", "pathrs"]