[Pkg-rust-maintainers] Bug#1069207: src:rust-base64: rust-base64 0.22.0 is available (upgrade from 0.21.7)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Apr 18 01:01:45 BST 2024
Source: rust-base64
Version: 0.21.7-1
Severity: wishlist
X-Debbugs-Cc: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
rust-base64 has a new upstream version 0.22.0 available, with the
following subtle changes to the API since 0.21.7:
- `DecodeSliceError::OutputSliceTooSmall` is now conservative rather
than precise. That is, the error will only occur if the decoded
output _cannot_ fit, meaning that `Engine::decode_slice` can now be
used with exactly-sized output slices. As part of this,
`Engine::internal_decode` now returns `DecodeSliceError` instead of
`DecodeError`, but that is not expected to affect any external
callers.
- `DecodeError::InvalidLength` now refers specifically to the _number of
valid symbols_ being invalid (i.e. `len % 4 == 1`), rather than just
the number of input bytes. This avoids confusing scenarios when based
on interpretation you could make a case for either `InvalidLength` or
`InvalidByte` being appropriate.
In debian, we have a bunch of different packages that depend on 0.21:
Versions of rdeps of rust-base64 in unstable, that also exist in testing:
librust-alacritty-terminal-dev 0.19.1-7 depends on librust-base64-0.21+default-dev,
librust-bson-dev 2.10.0-1 depends on librust-base64-0.21+default-dev,
librust-cargo-dev 0.70.1-2 depends on librust-base64-0.21+default-dev,
librust-charset-dev 0.1.3-1+b1 depends on librust-base64-0.21+default-dev,
librust-cookie-dev 0.18.0-1 depends on librust-base64-0.21+default-dev (>= 0.21.4-~~),
librust-embed-doc-image-dev 0.1.4-1+b1 depends on librust-base64-0.21+default-dev,
librust-fernet-dev 0.2.0+really0.1.4-3 depends on librust-base64-0.21+default-dev,
librust-gix-transport-dev 0.42.0-1 depends on librust-base64-0.21+default-dev,
librust-headers-dev 0.3.9-1+b1 depends on librust-base64-0.21+default-dev,
librust-http-auth-dev 0.1.8-1+b1 depends on librust-base64-0.21+default-dev,
librust-jsonwebtoken-dev 8.3.0-4 depends on librust-base64-0.21+default-dev,
librust-oauth2-dev 4.4.1-2 depends on librust-base64-0.21+default-dev,
librust-openssh-keys-dev 0.6.2-1+b1 depends on librust-base64-0.21+default-dev,
librust-parsec-service-dev 1.3.0-5+b1 depends on librust-base64-0.21+default-dev,
librust-parsec-tool-dev 0.7.0-4 depends on librust-base64-0.21+default-dev,
librust-pem-dev 3.0.3-2 depends on librust-base64-0.21+alloc-dev, librust-base64-0.21+std-dev,
librust-picky-asn1-x509-dev 0.10.0-1+b1 depends on librust-base64-0.21+default-dev,
librust-plist-dev 1.6.1-1 depends on librust-base64-0.21+default-dev,
librust-postgres-protocol-dev 0.6.6-2 depends on librust-base64-0.21+default-dev,
librust-reqwest-dev 0.11.24-3 depends on librust-base64-0.21+default-dev,
librust-rfc2047-decoder-dev 0.2.2-1+b1 depends on librust-base64-0.21+default-dev,
librust-ripasso-dev 0.6.5-2 depends on librust-base64-0.21+default-dev (>= 0.21.2-~~),
librust-ron-dev 0.7.1-3 depends on librust-base64-0.21+default-dev,
librust-ruma-common-dev 0.10.5-4 depends on librust-base64-0.21+default-dev,
librust-rust-argon2-dev 1.0.0-3 depends on librust-base64-0.21+default-dev,
librust-rustls-pemfile-dev 1.0.3-1 depends on librust-base64-0.21+default-dev,
librust-sequoia-autocrypt-dev 0.25.1-1 depends on librust-base64-0.21+default-dev,
librust-sequoia-net-dev 0.28.0-1 depends on librust-base64-0.21+default-dev,
librust-sequoia-openpgp-dev 1.19.0-1 depends on librust-base64-0.21+default-dev,
librust-serde-with-dev 3.4.0-2 depends on librust-base64-0.21+alloc-dev, librust-base64-0.21-dev,
librust-sqlx-postgres-dev 0.7.3-1 depends on librust-base64-0.21+std-dev,
librust-sshkeys-dev 0.3.2-1+b1 depends on librust-base64-0.21+default-dev,
librust-totp-rs-dev 3.0.1-3 depends on librust-base64-0.21+default-dev,
librust-tower-http-dev 0.4.4-3 depends on librust-base64-0.21+default-dev,
librust-ureq-dev 2.9.1-3 depends on librust-base64-0.21+default-dev,
librust-wycheproof-dev 0.5.0-1+b1 depends on librust-base64-0.21+default-dev,
Source packages in unstable whose autopkgtests are triggered by rust-base64:
rust-native-tls 0.2.11-2 triggered by librust-base64-dev=0.21.7-1
rust-octocrab 0.31.2-1 triggered by librust-base64-dev=0.21.7-1
rust-picky-asn1-der 0.4.0-1 triggered by librust-base64-dev=0.21.7-1
rust-psa-crypto 0.9.2-3 triggered by librust-base64-dev=0.21.7-1
rust-rustls 0.21.10-1 triggered by librust-base64-dev=0.21.7-1
rust-rustls-webpki 0.101.7-2.1 triggered by librust-base64-dev=0.21.7-1
rust-ttf-parser 0.19.1-2 triggered by librust-base64-dev=0.21.7-1
rust-webpki 0.22.4-2 triggered by librust-base64-dev=0.21.7-1
rust-wu-diff 0.1.2-1 triggered by librust-base64-dev=0.21.7-1
some of them, like rust-sequoia 1.20.0, have been tested successfully by
upstream against 0.22.0, but upgrading directly to 0.22.0 could break
the build of all of these packages.
So, either we need to:
- do a mass-testing event, patching the Cargo.toml of each of these
reverse dependencies; if all the relevant tests succeed, then commit
all these changes at once and push them into unstable as a batch.
or:
- upload a versioned rust-base64-0.21 that is capable of satisfying the
existing reverse dependencies, and then upload 0.22 as the standad
rust-base64. Then we can at our leisure fix each reverse dependency
(hopefully pushing fixes into the upstream projects)
The latter approach sounds more more plausible to me in terms of getting
the ball moving sooner (mass testing is expensive to set up), though it
could last a longer time than the former approach if a few packages
linger. but maybe other rust packagers have other preferred workflows
to tackle this kind of transition.
In the meantime, i intend to upload a version of rust-sequoia-openpgp
with a patched dependency that just depends on the older 0.21.7 version.
--dkg
-- System Information:
Debian Release: trixie/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20240417/ebe9f991/attachment.sig>
More information about the Pkg-rust-maintainers
mailing list