[Pkg-rust-maintainers] Bug#981153: Bug#981153: cargo: Please package new upstream (blocks Firefox 85)
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Jan 29 09:19:29 GMT 2021
On January 27, 2021 2:22 pm, Amy Kos wrote:
> Hi,
>
> raising severity, due to several high impact security vulnerabilities fixed in Firefox 85.
>
> https://www.mozilla.org/en-US/security/advisories/mfsa2021-03/
IMHO we'd need a freeze exception from the RT to update cargo at this
point in the release cycle.
note that updating cargo in the regular fashion also entails
- updating src:rust-cargo with its massive dependency chain, handling
all rdeps
- updating debcargo to work with the new cargo version (often
non-trivial)
before src:cargo can be updated to re-use the work/patches/.. above.
while we could in theory just update src:cargo to avoid the massive
churn, it means a lot of duplicate work between the "vendored for
bootstrap purposes" dependencies in src:cargo and the regular crates in
src:rust-cargo's dependency tree which are managed with debcargo.
updating cargo is currently almost single-handedly done by infinity0
with occasional help from me. the same goes for rustc. for both updating
to a new upstream release itself already is quite a lot of work of
rebasing patches, analyzing changed dependencies and their copyright
situation, making sure debian-related special stuff still works as
expected. updating src:cargo takes weeks of coordinated effort by the
rust-team because of the long tail of deps and rdeps, and will most
likely lead to breakage in other packages spilling into the freeze
proper which would require more exceptions to clean up.
we'd need to act really fast to pull this off, and likely the only
viable solution would be to update and upload src:rust-cargo and
everything that's needed there to experimental (to avoid interfering
with the rest of src:rust-* and the freeze), then update src:cargo
(still benefiting from the work that went into experimental), and then
post-full-freeze upload the things from experimental to unstable and
update debcargo..
More information about the Pkg-rust-maintainers
mailing list