On January 27, 2021 2:22 pm, Amy Kos wrote: > Hi, > > raising severity, due to several high impact security vulnerabilities fixed > in Firefox 85. > > https://www.mozilla.org/en-US/security/advisories/mfsa2021-03/
IMHO we'd need a freeze exception from the RT to update cargo at this point in the release cycle. note that updating cargo in the regular fashion also entails - updating src:rust-cargo with its massive dependency chain, handling all rdeps - updating debcargo to work with the new cargo version (often non-trivial) before src:cargo can be updated to re-use the work/patches/.. above. while we could in theory just update src:cargo to avoid the massive churn, it means a lot of duplicate work between the "vendored for bootstrap purposes" dependencies in src:cargo and the regular crates in src:rust-cargo's dependency tree which are managed with debcargo. updating cargo is currently almost single-handedly done by infinity0 with occasional help from me. the same goes for rustc. for both updating to a new upstream release itself already is quite a lot of work of rebasing patches, analyzing changed dependencies and their copyright situation, making sure debian-related special stuff still works as expected. updating src:cargo takes weeks of coordinated effort by the rust-team because of the long tail of deps and rdeps, and will most likely lead to breakage in other packages spilling into the freeze proper which would require more exceptions to clean up. we'd need to act really fast to pull this off, and likely the only viable solution would be to update and upload src:rust-cargo and everything that's needed there to experimental (to avoid interfering with the rest of src:rust-* and the freeze), then update src:cargo (still benefiting from the work that went into experimental), and then post-full-freeze upload the things from experimental to unstable and update debcargo..