GNU bug report logs - #32834
[PATCH] gnu: icecat: Build with rust-1.24.

Previous Next

Package: guix-patches;

Reported by: Efraim Flashner <efraim <at> flashner.co.il>

Date: Tue, 25 Sep 2018 05:03:02 UTC

Severity: normal

Tags: patch

Done: Efraim Flashner <efraim <at> flashner.co.il>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Joe Hillenbrand <joehillen <at> gmail.com>
To: ng0 <at> n0.is
Cc: mhw <at> netris.org, Ludovic Courtès <ludo <at> gnu.org>, 32834 <at> debbugs.gnu.org
Subject: [bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.
Date: Tue, 2 Oct 2018 20:48:01 -0700

Rust 1.24.0 suffers from this CVE
https://www.cvedetails.com/cve/CVE-2018-1000622/

But I don't think it's relevant to building Firefox since it only
effects rustdoc plugins.
On Tue, Oct 2, 2018 at 2:47 AM Nils Gillmann <ng0 <at> n0.is> wrote:
>
> Ludovic Courtès transcribed 1.2K bytes:
> > Nils Gillmann <ng0 <at> n0.is> skribis:
> >
> > > Efraim Flashner transcribed 782 bytes:
> > >>
> > >>
> > >> On September 29, 2018 9:55:36 PM UTC, ludo <at> gnu.org wrote:
> > >> >Hi Efraim,
> > >> >
> > >> >Efraim Flashner <efraim <at> flashner.co.il> skribis:
> > >> >
> > >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> > >> >> compatable rust over newer releases when building icecat.
> > >> >
> > >> >[...]
> > >> >
> > >> >> +      ;; Icecat 60 checkes for rust>=1.24
> > >> >> +     `(("rust" ,rust-1.24)
> > >> >> +       ("cargo" ,rust-1.24 "cargo")
> > >> >
> > >> >I suppose the goal is to reduce the build chain, right?
> > >>
> > >> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
> > >
> > > It is convenient (less than 36 hours build, build only one version of
> > > rust), but I have to second the doubt about CVEs.
> > > Mark, have you considered asking Mozilla about their recommended
> > > strategy wrt chosing the right rust for a Firefox-based browser
> > > building and implications of using an older rust for crates already
> > > in Firefox?
> >
> > I suspect Mozilla is not paying attention to bootstrapping issues the
> > way we do, so they’d probably recommend just using the latest Rust
> > version.
> >
> > Ludo’.
>
> Turns out they have it documented: https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox
> for 60:
> Firefox Version Requires        Rust release date       Firefox release date
> Firefox 60      Rust 1.24.0     2018 February 15        2018 May 9
>
>
>
This bug report was last modified 6 years and 216 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.