GNU bug report logs -
#32834
[PATCH] gnu: icecat: Build with rust-1.24.
Previous Next
Reported by: Efraim Flashner <efraim <at> flashner.co.il>
Date: Tue, 25 Sep 2018 05:03:02 UTC
Severity: normal
Tags: patch
Done: Efraim Flashner <efraim <at> flashner.co.il>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32834 in the body.
You can then email your comments to 32834 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Tue, 25 Sep 2018 05:03:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Efraim Flashner <efraim <at> flashner.co.il>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 25 Sep 2018 05:03:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
compatable rust over newer releases when building icecat.
---
gnu/packages/gnuzilla.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 653cee93d..f15a51163 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -3,7 +3,7 @@
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw <at> netris.org>
;;; Copyright © 2015 Sou Bunnbu <iyzsong <at> gmail.com>
-;;; Copyright © 2016, 2017 Efraim Flashner <efraim <at> flashner.co.il>
+;;; Copyright © 2016, 2017, 2018 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2016 Alex Griffin <a <at> ajgrf.com>
;;; Copyright © 2017 Clément Lassieur <clement <at> lassieur.org>
;;; Copyright © 2017 Nils Gillmann <ng0 <at> n0.is>
@@ -587,8 +587,9 @@ security standards.")
("zip" ,zip)
("zlib" ,zlib)))
(native-inputs
- `(("rust" ,rust)
- ("cargo" ,rust "cargo")
+ ;; Icecat 60 checkes for rust>=1.24
+ `(("rust" ,rust-1.24)
+ ("cargo" ,rust-1.24 "cargo")
("perl" ,perl)
("python" ,python-2) ; Python 3 not supported
("python2-pysqlite" ,python2-pysqlite)
--
2.19.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Sat, 29 Sep 2018 21:56:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 32834 <at> debbugs.gnu.org (full text, mbox):
Hi Efraim,
Efraim Flashner <efraim <at> flashner.co.il> skribis:
> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> compatable rust over newer releases when building icecat.
[...]
> + ;; Icecat 60 checkes for rust>=1.24
> + `(("rust" ,rust-1.24)
> + ("cargo" ,rust-1.24 "cargo")
I suppose the goal is to reduce the build chain, right?
Mark, Danny: WDYT?
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Sat, 29 Sep 2018 22:56:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 32834 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, 29 Sep 2018 23:55:36 +0200
ludo <at> gnu.org (Ludovic Courtès) wrote:
> Hi Efraim,
>
> Efraim Flashner <efraim <at> flashner.co.il> skribis:
>
> > * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> > compatable rust over newer releases when building icecat.
>
> [...]
>
> > + ;; Icecat 60 checkes for rust>=1.24
> > + `(("rust" ,rust-1.24)
> > + ("cargo" ,rust-1.24 "cargo")
>
> I suppose the goal is to reduce the build chain, right?
>
> Mark, Danny: WDYT?
I think it's a good idea.
Eventually, the rust bootchain will change to mrustc -> rust <at> 1.25.0 -> ...,
but we can cross that bridge when we come to it.
I'm not sure about Rust's policy with regard to CVEs. Are those patched
in old releases, too?
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Sun, 30 Sep 2018 03:22:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 32834 <at> debbugs.gnu.org (full text, mbox):
Danny Milosavljevic <dannym <at> scratchpost.org> writes:
> On Sat, 29 Sep 2018 23:55:36 +0200
> ludo <at> gnu.org (Ludovic Courtès) wrote:
>
>> Hi Efraim,
>>
>> Efraim Flashner <efraim <at> flashner.co.il> skribis:
>>
>> > * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>> > compatable rust over newer releases when building icecat.
>>
>> [...]
>>
>> > + ;; Icecat 60 checkes for rust>=1.24
>> > + `(("rust" ,rust-1.24)
>> > + ("cargo" ,rust-1.24 "cargo")
>>
>> I suppose the goal is to reduce the build chain, right?
>>
>> Mark, Danny: WDYT?
>
> I think it's a good idea.
>
> Eventually, the rust bootchain will change to mrustc -> rust <at> 1.25.0 -> ...,
> but we can cross that bridge when we come to it.
>
> I'm not sure about Rust's policy with regard to CVEs. Are those patched
> in old releases, too?
Indeed, that's my main concern. Might the older Rust compilers have
bugs that could lead to security flaws in IceCat?
Here's another possible approach to mitigate the cost of building this
long chain of Rust compilers: perhaps older versions of Rust could use
only minimal and highly stable inputs, such that they would be built
only once per core-updates cycle. Thoughts?
Mark
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Sun, 30 Sep 2018 05:45:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 32834 <at> debbugs.gnu.org (full text, mbox):
On September 29, 2018 9:55:36 PM UTC, ludo <at> gnu.org wrote:
>Hi Efraim,
>
>Efraim Flashner <efraim <at> flashner.co.il> skribis:
>
>> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>> compatable rust over newer releases when building icecat.
>
>[...]
>
>> + ;; Icecat 60 checkes for rust>=1.24
>> + `(("rust" ,rust-1.24)
>> + ("cargo" ,rust-1.24 "cargo")
>
>I suppose the goal is to reduce the build chain, right?
Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
>
>Mark, Danny: WDYT?
>
>Thanks,
>Ludo’.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Sun, 30 Sep 2018 19:28:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 32834 <at> debbugs.gnu.org (full text, mbox):
Mark H Weaver <mhw <at> netris.org> skribis:
> Danny Milosavljevic <dannym <at> scratchpost.org> writes:
>
>> On Sat, 29 Sep 2018 23:55:36 +0200
>> ludo <at> gnu.org (Ludovic Courtès) wrote:
>>
>>> Hi Efraim,
>>>
>>> Efraim Flashner <efraim <at> flashner.co.il> skribis:
>>>
>>> > * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>>> > compatable rust over newer releases when building icecat.
>>>
>>> [...]
>>>
>>> > + ;; Icecat 60 checkes for rust>=1.24
>>> > + `(("rust" ,rust-1.24)
>>> > + ("cargo" ,rust-1.24 "cargo")
>>>
>>> I suppose the goal is to reduce the build chain, right?
>>>
>>> Mark, Danny: WDYT?
>>
>> I think it's a good idea.
>>
>> Eventually, the rust bootchain will change to mrustc -> rust <at> 1.25.0 -> ...,
>> but we can cross that bridge when we come to it.
>>
>> I'm not sure about Rust's policy with regard to CVEs. Are those patched
>> in old releases, too?
>
> Indeed, that's my main concern. Might the older Rust compilers have
> bugs that could lead to security flaws in IceCat?
I suppose vulnerabilities are more likely to be present in Rust’s
standard library than in the compiler, but the problem remains. Given
the fast development pace, I’d be surprised if past releases received
security fixes.
> Here's another possible approach to mitigate the cost of building this
> long chain of Rust compilers: perhaps older versions of Rust could use
> only minimal and highly stable inputs, such that they would be built
> only once per core-updates cycle. Thoughts?
If it’s possible, that’d be great.
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Mon, 01 Oct 2018 09:04:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 32834 <at> debbugs.gnu.org (full text, mbox):
Efraim Flashner transcribed 782 bytes:
>
>
> On September 29, 2018 9:55:36 PM UTC, ludo <at> gnu.org wrote:
> >Hi Efraim,
> >
> >Efraim Flashner <efraim <at> flashner.co.il> skribis:
> >
> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> >> compatable rust over newer releases when building icecat.
> >
> >[...]
> >
> >> + ;; Icecat 60 checkes for rust>=1.24
> >> + `(("rust" ,rust-1.24)
> >> + ("cargo" ,rust-1.24 "cargo")
> >
> >I suppose the goal is to reduce the build chain, right?
>
> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
It is convenient (less than 36 hours build, build only one version of
rust), but I have to second the doubt about CVEs.
Mark, have you considered asking Mozilla about their recommended
strategy wrt chosing the right rust for a Firefox-based browser
building and implications of using an older rust for crates already
in Firefox?
If not, I will ask Firefox/Mozilla development and Rust community
tomorrow.
> >
> >Mark, Danny: WDYT?
> >
> >Thanks,
> >Ludo’.
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
>
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Tue, 02 Oct 2018 09:17:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 32834 <at> debbugs.gnu.org (full text, mbox):
Nils Gillmann <ng0 <at> n0.is> skribis:
> Efraim Flashner transcribed 782 bytes:
>>
>>
>> On September 29, 2018 9:55:36 PM UTC, ludo <at> gnu.org wrote:
>> >Hi Efraim,
>> >
>> >Efraim Flashner <efraim <at> flashner.co.il> skribis:
>> >
>> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>> >> compatable rust over newer releases when building icecat.
>> >
>> >[...]
>> >
>> >> + ;; Icecat 60 checkes for rust>=1.24
>> >> + `(("rust" ,rust-1.24)
>> >> + ("cargo" ,rust-1.24 "cargo")
>> >
>> >I suppose the goal is to reduce the build chain, right?
>>
>> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
>
> It is convenient (less than 36 hours build, build only one version of
> rust), but I have to second the doubt about CVEs.
> Mark, have you considered asking Mozilla about their recommended
> strategy wrt chosing the right rust for a Firefox-based browser
> building and implications of using an older rust for crates already
> in Firefox?
I suspect Mozilla is not paying attention to bootstrapping issues the
way we do, so they’d probably recommend just using the latest Rust
version.
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Tue, 02 Oct 2018 09:47:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 32834 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès transcribed 1.2K bytes:
> Nils Gillmann <ng0 <at> n0.is> skribis:
>
> > Efraim Flashner transcribed 782 bytes:
> >>
> >>
> >> On September 29, 2018 9:55:36 PM UTC, ludo <at> gnu.org wrote:
> >> >Hi Efraim,
> >> >
> >> >Efraim Flashner <efraim <at> flashner.co.il> skribis:
> >> >
> >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> >> >> compatable rust over newer releases when building icecat.
> >> >
> >> >[...]
> >> >
> >> >> + ;; Icecat 60 checkes for rust>=1.24
> >> >> + `(("rust" ,rust-1.24)
> >> >> + ("cargo" ,rust-1.24 "cargo")
> >> >
> >> >I suppose the goal is to reduce the build chain, right?
> >>
> >> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
> >
> > It is convenient (less than 36 hours build, build only one version of
> > rust), but I have to second the doubt about CVEs.
> > Mark, have you considered asking Mozilla about their recommended
> > strategy wrt chosing the right rust for a Firefox-based browser
> > building and implications of using an older rust for crates already
> > in Firefox?
>
> I suspect Mozilla is not paying attention to bootstrapping issues the
> way we do, so they’d probably recommend just using the latest Rust
> version.
>
> Ludo’.
Turns out they have it documented: https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox
for 60:
Firefox Version Requires Rust release date Firefox release date
Firefox 60 Rust 1.24.0 2018 February 15 2018 May 9
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Wed, 03 Oct 2018 05:34:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 32834 <at> debbugs.gnu.org (full text, mbox):
Rust 1.24.0 suffers from this CVE
https://www.cvedetails.com/cve/CVE-2018-1000622/
But I don't think it's relevant to building Firefox since it only
effects rustdoc plugins.
On Tue, Oct 2, 2018 at 2:47 AM Nils Gillmann <ng0 <at> n0.is> wrote:
>
> Ludovic Courtès transcribed 1.2K bytes:
> > Nils Gillmann <ng0 <at> n0.is> skribis:
> >
> > > Efraim Flashner transcribed 782 bytes:
> > >>
> > >>
> > >> On September 29, 2018 9:55:36 PM UTC, ludo <at> gnu.org wrote:
> > >> >Hi Efraim,
> > >> >
> > >> >Efraim Flashner <efraim <at> flashner.co.il> skribis:
> > >> >
> > >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> > >> >> compatable rust over newer releases when building icecat.
> > >> >
> > >> >[...]
> > >> >
> > >> >> + ;; Icecat 60 checkes for rust>=1.24
> > >> >> + `(("rust" ,rust-1.24)
> > >> >> + ("cargo" ,rust-1.24 "cargo")
> > >> >
> > >> >I suppose the goal is to reduce the build chain, right?
> > >>
> > >> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
> > >
> > > It is convenient (less than 36 hours build, build only one version of
> > > rust), but I have to second the doubt about CVEs.
> > > Mark, have you considered asking Mozilla about their recommended
> > > strategy wrt chosing the right rust for a Firefox-based browser
> > > building and implications of using an older rust for crates already
> > > in Firefox?
> >
> > I suspect Mozilla is not paying attention to bootstrapping issues the
> > way we do, so they’d probably recommend just using the latest Rust
> > version.
> >
> > Ludo’.
>
> Turns out they have it documented: https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox
> for 60:
> Firefox Version Requires Rust release date Firefox release date
> Firefox 60 Rust 1.24.0 2018 February 15 2018 May 9
>
>
>
Information forwarded
to
guix-patches <at> gnu.org:
bug#32834; Package
guix-patches.
(Tue, 09 Oct 2018 00:20:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 32834 <at> debbugs.gnu.org (full text, mbox):
Nils Gillmann <ng0 <at> n0.is> writes:
> Ludovic Courtès transcribed 1.2K bytes:
>> Nils Gillmann <ng0 <at> n0.is> skribis:
>>
>> > Efraim Flashner transcribed 782 bytes:
>> >>
>> >>
>> >> On September 29, 2018 9:55:36 PM UTC, ludo <at> gnu.org wrote:
>> >> >Hi Efraim,
>> >> >
>> >> >Efraim Flashner <efraim <at> flashner.co.il> skribis:
>> >> >
>> >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>> >> >> compatable rust over newer releases when building icecat.
>> >> >
>> >> >[...]
>> >> >
>> >> >> + ;; Icecat 60 checkes for rust>=1.24
>> >> >> + `(("rust" ,rust-1.24)
>> >> >> + ("cargo" ,rust-1.24 "cargo")
>> >> >
>> >> >I suppose the goal is to reduce the build chain, right?
>> >>
>> >> Right. Currently each round of rust takes about 12 hours on my
>> >> fast aarch64 board. This built successfully on aarch64 and ng0
>> >> was able to build and test it on x86_64.
>> >
>> > It is convenient (less than 36 hours build, build only one version of
>> > rust), but I have to second the doubt about CVEs.
>> > Mark, have you considered asking Mozilla about their recommended
>> > strategy wrt chosing the right rust for a Firefox-based browser
>> > building and implications of using an older rust for crates already
>> > in Firefox?
>>
>> I suspect Mozilla is not paying attention to bootstrapping issues the
>> way we do, so they’d probably recommend just using the latest Rust
>> version.
>>
>> Ludo’.
>
> Turns out they have it documented: https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox
> for 60:
> Firefox Version Requires Rust release date Firefox release date
> Firefox 60 Rust 1.24.0 2018 February 15 2018 May 9
I'm okay with switching our IceCat package to use rust-1.24.
Thanks,
Mark
Reply sent
to
Efraim Flashner <efraim <at> flashner.co.il>:
You have taken responsibility.
(Sun, 14 Oct 2018 07:01:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Efraim Flashner <efraim <at> flashner.co.il>:
bug acknowledged by developer.
(Sun, 14 Oct 2018 07:01:02 GMT)
Full text and
rfc822 format available.
Message #40 received at 32834-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Pushed as 89f9df6cfd75d5180bd135c2b14fbfdc0eb6171b
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 11 Nov 2018 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 215 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.