[Pkg-rust-maintainers] Bug#1028566: unblock: rust-debcargo/2.6.0-2

Fabian Grünbichler debian at fabian.gruenbichler.email
Thu Jan 12 21:32:02 GMT 2023 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: rust-debcargo at packages.debian.org, pkg-rust-maintainers at alioth-lists.debian.net
Control: affects -1 + src:rust-debcargo

Please unblock package rust-debcargo

[ Reason ]
This update was supposed to happen before the toolchain freeze, but
unfortunately was blocked by a last-minute transition within the rust-*
ecosystem.

The update sync the used cargo library (src:rust-cargo) with that of
cargo the tool (src:cargo), including a fix for CVE-2022-46176.

debcargo itself is not really a toolchain package in the classical
sense, even though it is listed as part of the toolchain package set -
it is only used to prepare (source) packages for uploading, not involved
in building them.

[ Impact ]
without this update, cargo the tool used for building and debcargo the
tool which is used for preparing packages would use a different cargo
version, which might introduce subtle bugs. debcargo would be affected
by a MITM CVE that is not trivial to backport to the version currently
in testing, since the fix requires updating dependencies to support the
required interfaces.

[ Tests ]
debcargo itself is only slightly adapted to the new cargo library
version. the same version with the same adaptation has seen some
downstream usage in a derivative of Debian based on Debian Bullseye.

[ Risks ]
the main changes are actually in dependencies of src:rust-debcargo,
mainly src:rust-cargo, since debcargo is statically linked with it.

src:cargo 0.66 is already in testing (without the CVE fix, which has a
separate unblock request) and has extensive test coverage. the code is
identical to src:rust-cargo, they mainly differ in the resulting binary
packages and the use of regular rust-* dependencies vs. vendored ones.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028545 contains the
unblock request for adding the CVE fix to src:cargo.

this unblock request would require a whole set of rust-* packages to
migrate together, all of them have already been uploaded to unstable
(some are still building at this moment).

unblock rust-debcargo/2.6.0-2
-------------- next part --------------
diff -Nru rust-debcargo-2.6.0/debian/cargo-checksum.json rust-debcargo-2.6.0/debian/cargo-checksum.json
--- rust-debcargo-2.6.0/debian/cargo-checksum.json	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/cargo-checksum.json	2023-01-12 17:33:49.000000000 +0100
@@ -1 +1 @@
-{"package":"e828d0c0708afcb4f42db47f81f226afc8cc66c518c8cf9a491578fafb41eb24","files":{}}
+{"package":"Could not get crate checksum","files":{}}
diff -Nru rust-debcargo-2.6.0/debian/changelog rust-debcargo-2.6.0/debian/changelog
--- rust-debcargo-2.6.0/debian/changelog	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/changelog	2023-01-12 17:33:49.000000000 +0100
@@ -1,3 +1,10 @@
+rust-debcargo (2.6.0-2) unstable; urgency=medium
+
+  * Team upload.
+  * Rebuild debcargo 2.6.0 with cargo 0.66.0
+
+ -- Fabian Gruenbichler <debian at fabian.gruenbichler.email>  Thu, 12 Jan 2023 16:33:49 +0000
+
 rust-debcargo (2.6.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-debcargo-2.6.0/debian/control rust-debcargo-2.6.0/debian/control
--- rust-debcargo-2.6.0/debian/control	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/control	2023-01-12 17:33:49.000000000 +0100
@@ -8,7 +8,7 @@
  libstd-rust-dev,
  librust-ansi-term-0.12+default-dev,
  librust-anyhow-1+default-dev,
- librust-cargo-0.63+default-dev,
+ librust-cargo-0.66+default-dev,
  librust-chrono-0.4+default-dev,
  librust-clap-3+cargo-dev,
  librust-clap-3+default-dev,
@@ -16,7 +16,7 @@
  librust-env-logger-0.9+default-dev,
  librust-filetime-0.2+default-dev,
  librust-flate2-1+default-dev,
- librust-git2-0.14+default-dev,
+ librust-git2-0.16+default-dev,
  librust-glob-0.3+default-dev,
  librust-itertools-0.10+default-dev,
  librust-log-0.4+default-dev,
@@ -33,9 +33,10 @@
 Maintainer: Debian Rust Maintainers <pkg-rust-maintainers at alioth-lists.debian.net>
 Uploaders:
  Ximin Luo <infinity0 at debian.org>
-Standards-Version: 4.5.1
+Standards-Version: 4.6.1
 Vcs-Git: https://salsa.debian.org/rust-team/debcargo-conf.git [src/debcargo]
 Vcs-Browser: https://salsa.debian.org/rust-team/debcargo-conf/tree/master/src/debcargo
+X-Cargo-Crate: debcargo
 Rules-Requires-Root: no
 
 Package: librust-debcargo-dev
@@ -45,7 +46,7 @@
  ${misc:Depends},
  librust-ansi-term-0.12+default-dev,
  librust-anyhow-1+default-dev,
- librust-cargo-0.63+default-dev,
+ librust-cargo-0.66+default-dev,
  librust-chrono-0.4+default-dev,
  librust-clap-3+cargo-dev,
  librust-clap-3+default-dev,
@@ -53,7 +54,7 @@
  librust-env-logger-0.9+default-dev,
  librust-filetime-0.2+default-dev,
  librust-flate2-1+default-dev,
- librust-git2-0.14+default-dev,
+ librust-git2-0.16+default-dev,
  librust-glob-0.3+default-dev,
  librust-itertools-0.10+default-dev,
  librust-log-0.4+default-dev,
diff -Nru rust-debcargo-2.6.0/debian/copyright.debcargo.hint rust-debcargo-2.6.0/debian/copyright.debcargo.hint
--- rust-debcargo-2.6.0/debian/copyright.debcargo.hint	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/copyright.debcargo.hint	2023-01-12 17:33:49.000000000 +0100
@@ -18,7 +18,7 @@
  be correct information so you should review and fix this before uploading to
  the archive.
 
-Files: ./src/debian/licenses/AGPL-3.0
+Files: src/debian/licenses/AGPL-3.0
 Copyright: 2007 Free Software Foundation, Inc. <http://fsf.org/>
 License: UNKNOWN-LICENSE; FIXME (overlay)
 Comment:
@@ -27,8 +27,8 @@
 
 Files: debian/*
 Copyright:
- 2018-2022 Debian Rust Maintainers <pkg-rust-maintainers at alioth-lists.debian.net>
- 2018-2022 Ximin Luo <infinity0 at debian.org>
+ 2018-2023 Debian Rust Maintainers <pkg-rust-maintainers at alioth-lists.debian.net>
+ 2018-2023 Ximin Luo <infinity0 at debian.org>
 License: MIT or Apache-2.0
 
 License: Apache-2.0
diff -Nru rust-debcargo-2.6.0/debian/patches/series rust-debcargo-2.6.0/debian/patches/series
--- rust-debcargo-2.6.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ rust-debcargo-2.6.0/debian/patches/series	2023-01-12 17:33:49.000000000 +0100
@@ -0,0 +1 @@
+update-cargo.patch
diff -Nru rust-debcargo-2.6.0/debian/patches/update-cargo.patch rust-debcargo-2.6.0/debian/patches/update-cargo.patch
--- rust-debcargo-2.6.0/debian/patches/update-cargo.patch	1970-01-01 01:00:00.000000000 +0100
+++ rust-debcargo-2.6.0/debian/patches/update-cargo.patch	2023-01-12 17:33:49.000000000 +0100
@@ -0,0 +1,44 @@
+Index: debcargo/Cargo.toml
+===================================================================
+--- debcargo.orig/Cargo.toml
++++ debcargo/Cargo.toml
+@@ -31,7 +31,7 @@ version = "0.12"
+ version = "1.0"
+ 
+ [dependencies.cargo]
+-version = "0.63"
++version = "0.66"
+ 
+ [dependencies.chrono]
+ version = "0.4"
+@@ -53,7 +53,7 @@ version = "0.2"
+ version = "1"
+ 
+ [dependencies.git2]
+-version = "0.14"
++version = "0.16"
+ 
+ [dependencies.glob]
+ version = "0.3"
+diff --git a/src/crates.rs b/src/crates.rs
+index c57a61f..e5dc842 100644
+--- a/src/crates.rs
++++ b/src/crates.rs
+@@ -60,7 +60,7 @@ fn hash<H: Hash>(hashable: &H) -> u64 {
+ }
+ 
+ fn fetch_candidates(registry: &mut PackageRegistry, dep: &Dependency) -> Result<Vec<Summary>> {
+-    let mut summaries = match registry.query_vec(dep, false) {
++    let mut summaries = match registry.query_vec(dep, cargo::core::QueryKind::Exact) {
+         std::task::Poll::Ready(res) => res?,
+         std::task::Poll::Pending => {
+             registry.block_until_ready()?;
+@@ -125,7 +125,7 @@ impl CrateInfo {
+                     let dep = Dependency::parse(crate_name, None, source_id)?;
+                     let mut package_id: Option<PackageId> = None;
+                     loop {
+-                        match source.query(&dep, &mut |p| package_id = Some(p.package_id())) {
++                        match source.query(&dep, cargo::core::QueryKind::Exact, &mut |p| package_id = Some(p.package_id())) {
+                             std::task::Poll::Ready(res) => {
+                                 res?;
+                                 break;
diff -Nru rust-debcargo-2.6.0/debian/tests/control rust-debcargo-2.6.0/debian/tests/control
--- rust-debcargo-2.6.0/debian/tests/control	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/tests/control	2023-01-12 17:33:49.000000000 +0100
@@ -3,7 +3,7 @@
 Depends: dh-cargo (>= 18), @
 Restrictions: allow-stderr, skip-not-installable
 
-Test-Command: /usr/share/cargo/bin/cargo-auto-test debcargo 2.6.0 --all-targets 
+Test-Command: /usr/share/cargo/bin/cargo-auto-test debcargo 2.6.0 --all-targets
 Features: test-name=librust-debcargo-dev:default
 Depends: dh-cargo (>= 18), @
 Restrictions: allow-stderr, skip-not-installable
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20230112/bba5d9d3/attachment-0003.sig>

More information about the Pkg-rust-maintainers mailing list