[Pkg-rust-maintainers] Bug#1055918: Update on the http stack transition (was Re: Bug#1055918 rust-hyper: please provide newer upstream branch v1.0)

Fri Dec 13 15:16:44 GMT 2024

Hi all,

Sorry that the work has stalled for a while, esp. to Daniel whose work is being
blocked by this. Here is a briefing on the current situation:

As pointed out earlier, the effort was being tracked in the issue below. For
those who don't quite like the web interface: lynx/w3m works just fine for
reading it.

https://salsa.debian.org/rust-team/debcargo-conf/-/issues/78

Currently, these are uploaded to experimental (as listed in the issue):

- http 1
- headers-core 0.3
- headers 0.4
- http-body 1
- http-body-util 0.1
- h2 0.4
- http-auth 0.1
- hyper 1
- hyper-tls 0.6
- hyper-util 0.1
- tower 0.5
- tower-layer 0.3
- tower-service 0.3
- reqwest 0.12

Thanks to kpcyrd for splitting out http-0.2 and http-body-0.4 to ease the
transition. But as they (only two!) are still in NEW, I won't be too optimistic
about uploading versioned packages for all those above. And frankly, the
majority of dependency is on hyper and reqwest.

Now, these are *a lot*: over 20 on reqwest and 10+ on hyper, a few on http. Of
course, about half of them carry relaxing patches which once are removed will
just happily depend on the new versions. These should be fairly simple to
resolve, only needing coordination with uploads to unstable of those above.

Some are old versions with older dependencies. Updating is enough, for
themselves; they likely are depended on in turn, which needs to be solved.

Others (10+) stay with older dependencies upstream. These need analysis and
decision whether to patch them up or else.

rustls is also involved, which is its own beast. I have tried to downgrade it
for some but the work was non-trivial, though it's possible to work out through
versioned package since it's only one. There is an informational issue as it's
maintained by Jonas:

https://salsa.debian.org/rust-team/debcargo-conf/-/issues/84

Jelmer is the upstream for a few crates: debbugs, debian-analyzer,
silver-platter which are old versions on old deps, launchpadlib and
upstream-ontologist are relaxed (?). Please help if you could ;)

Jonas maintains several of the rdeps outside the Rust team: hypothesis and vdash
which upstreams have yet to upgrade, sccache has it relaxed, tonic can be
upgraded, axum only dev-depends on reqwest which could temporarily be disabled
before it's upgraded (it seems to be another beast). I know you'd prefer one bug
for each of them, but I'm a bit too stressed atm to do that. Thanks for
understanding ;)

Due to matters in $life I don't have much time right now to spend on continuing
the effort, and the information above and linked might be a bit outdated, sorry.
Rust team members, and Jonas (for the packages you maintain), please consider
giving a hand. I'm still available for occasional questions on IRC and in email.
Thank you ;)

-- 
Sdrager,
Blair Noctis

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20241213/cd138d6a/attachment.sig>