GNU bug report logs - #54439
Rust: Add Rust 1.59, set default to 1.59.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Subject: bug#53461: closed (Re: [bug#54439] [PATCH core-updates] gnu:
 rust: Use rust-1.60.0)
Date: Thu, 04 Aug 2022 11:05:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#54439: [kiasoc5 <at> tutanota.com: Rust CVE]

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 53461 <at> debbugs.gnu.org.

-- 
54439: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=54439
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Marius Bakke <marius <at> gnu.org>
To: Jim Newsome <jim <at> jimnewsome.net>, 54439-done <at> debbugs.gnu.org, Maxime
 Devos <maximedevos <at> telenet.be>
Cc: paul <at> unnservice.com, kiasoc5 <at> tutanota.com,
 Efraim Flashner <efraim <at> flashner.co.il>, Felipe Balbi <felipe <at> balbi.sh>,
 Pierre Langlois <pierre.langlois <at> gmx.com>,
 56684-done <at> debbugs.gnu.orgPaulAlesius
Subject: Re: [bug#54439] [PATCH core-updates] gnu: rust: Use rust-1.60.0
Date: Thu, 04 Aug 2022 13:03:57 +0200

[Message part 3 (text/plain, inline)]

Jim Newsome <jim <at> jimnewsome.net> skriver:

> Hi, I'm new to this project and this code-review workflow, so please bear with me :).

Welcome!  You are doing great.  :-)

> It looks like there have been a few attempts here at updating Rust, including [Paul's], [Felipe's], and [my own].
>
> [Paul's]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=54439#5
> [Felipe's]: https://issues.guix.gnu.org/54475#0
> [my own]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=56684

Indeed.  :-/

> There's some discussion in this thread about using an updated mrustc and using that to cut out some earlier steps of the bootstrap chain. I propose leaving that out for the moment. It seems both nontrivial and orthogonal, so IMO would make more sense as its own thread / patch-set, which could be reviewed and merged independently, before or after this one.

This has recently been done on the 'staging' branch courtesy of Efraim.

> I think there's some confusion about where and how tests are enabled/disabled. IIUC in the current baseline, they are disabled in `rust-1.55`, which is the first version built with an earlier "official" rust:
>
> ```
>        ;; Only the final Rust is tested, not the intermediate bootstrap ones,
>        ;; for performance and simplicity.
>        #:tests? #f
> ```
>
> and subsequent versions inherit that via the `rust-bootstrapped-package` function.
>
> The latest and public version (currently `rust-1.57`) re-enables most of the tests and fixes up some things so that the tests pass.
>
> So I think the approach here when adding versions is to change the current latest (1.57) to the simpler form that keeps tests disabled, add any additional necessary steps, and have the test-reenabling code again in the latest version.

That is my understanding too.

> 2 patches included:
>
> * First is a pure refactor to decouple  "rust-1.57" from "rust" to help avoid confusion in the future.
> * Second adds 1.58, 1.59, and 1.60, and makes rust-1.60 the new rust.
>
> In the latter patch I also tried building each version with a Rust 2 versions back instead of just 1 version back, to see if any can be left out. Unfortunately they couldn't. I'm including some of the errors in the comments for reference.

LGTM, I've pushed both patches to the 'staging' branch since Rust was
already patched there and it has not started evaluating yet.

Note: I also added a copyright line for you, hope that was okay.

Closing the issue, but feel free to continue the discussion.

[signature.asc (application/pgp-signature, inline)]

[Message part 5 (message/rfc822, inline)]

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [kiasoc5 <at> tutanota.com: Rust CVE]
Date: Sat, 22 Jan 2022 19:29:57 -0500

----- Forwarded message from kiasoc5 <at> tutanota.com -----

Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET)
From: kiasoc5 <at> tutanota.com
To: guix-security <at> gnu.org
Subject: Rust CVE

Hi,

Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.

https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html

Attached is a patch that adds rust-1.58.1. It doesn't replace the default as I'm not sure whether this should be grafted or not.

Thanks
kiasoc5

From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5 <at> tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH] gnu: Add rust-1.58.

* gnu/packages/rust.scm (rust-1.58): New variable.
---
 gnu/packages/rust.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 5a6d4a5c30..c9b44da844 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
                             `("procps" ,procps)
                             (package-native-inputs base-rust))))))
 
+(define rust-1.58
+  (rust-bootstrapped-package
+   rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
 ;;; Note: Only the latest versions of Rust are supported and tested.  The
 ;;; intermediate rusts are built for bootstrapping purposes and should not
 ;;; be relied upon.  This is to ease maintenance and reduce the time

base-commit: dfc32d8d997da74a6e838b450649bd89905ffdc3
-- 
2.34.1



----- End forwarded message -----

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.