Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: rust-debca...@packages.debian.org, pkg-rust-maintain...@alioth-lists.debian.net Control: affects -1 + src:rust-debcargo
Please unblock package rust-debcargo [ Reason ] This update was supposed to happen before the toolchain freeze, but unfortunately was blocked by a last-minute transition within the rust-* ecosystem. The update sync the used cargo library (src:rust-cargo) with that of cargo the tool (src:cargo), including a fix for CVE-2022-46176. debcargo itself is not really a toolchain package in the classical sense, even though it is listed as part of the toolchain package set - it is only used to prepare (source) packages for uploading, not involved in building them. [ Impact ] without this update, cargo the tool used for building and debcargo the tool which is used for preparing packages would use a different cargo version, which might introduce subtle bugs. debcargo would be affected by a MITM CVE that is not trivial to backport to the version currently in testing, since the fix requires updating dependencies to support the required interfaces. [ Tests ] debcargo itself is only slightly adapted to the new cargo library version. the same version with the same adaptation has seen some downstream usage in a derivative of Debian based on Debian Bullseye. [ Risks ] the main changes are actually in dependencies of src:rust-debcargo, mainly src:rust-cargo, since debcargo is statically linked with it. src:cargo 0.66 is already in testing (without the CVE fix, which has a separate unblock request) and has extensive test coverage. the code is identical to src:rust-cargo, they mainly differ in the resulting binary packages and the use of regular rust-* dependencies vs. vendored ones. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028545 contains the unblock request for adding the CVE fix to src:cargo. this unblock request would require a whole set of rust-* packages to migrate together, all of them have already been uploaded to unstable (some are still building at this moment). unblock rust-debcargo/2.6.0-2
diff -Nru rust-debcargo-2.6.0/debian/cargo-checksum.json rust-debcargo-2.6.0/debian/cargo-checksum.json --- rust-debcargo-2.6.0/debian/cargo-checksum.json 2022-11-16 10:08:41.000000000 +0100 +++ rust-debcargo-2.6.0/debian/cargo-checksum.json 2023-01-12 17:33:49.000000000 +0100 @@ -1 +1 @@ -{"package":"e828d0c0708afcb4f42db47f81f226afc8cc66c518c8cf9a491578fafb41eb24","files":{}} +{"package":"Could not get crate checksum","files":{}} diff -Nru rust-debcargo-2.6.0/debian/changelog rust-debcargo-2.6.0/debian/changelog --- rust-debcargo-2.6.0/debian/changelog 2022-11-16 10:08:41.000000000 +0100 +++ rust-debcargo-2.6.0/debian/changelog 2023-01-12 17:33:49.000000000 +0100 @@ -1,3 +1,10 @@ +rust-debcargo (2.6.0-2) unstable; urgency=medium + + * Team upload. + * Rebuild debcargo 2.6.0 with cargo 0.66.0 + + -- Fabian Gruenbichler <debian@fabian.gruenbichler.email> Thu, 12 Jan 2023 16:33:49 +0000 + rust-debcargo (2.6.0-1) unstable; urgency=medium * Team upload. diff -Nru rust-debcargo-2.6.0/debian/control rust-debcargo-2.6.0/debian/control --- rust-debcargo-2.6.0/debian/control 2022-11-16 10:08:41.000000000 +0100 +++ rust-debcargo-2.6.0/debian/control 2023-01-12 17:33:49.000000000 +0100 @@ -8,7 +8,7 @@ libstd-rust-dev, librust-ansi-term-0.12+default-dev, librust-anyhow-1+default-dev, - librust-cargo-0.63+default-dev, + librust-cargo-0.66+default-dev, librust-chrono-0.4+default-dev, librust-clap-3+cargo-dev, librust-clap-3+default-dev, @@ -16,7 +16,7 @@ librust-env-logger-0.9+default-dev, librust-filetime-0.2+default-dev, librust-flate2-1+default-dev, - librust-git2-0.14+default-dev, + librust-git2-0.16+default-dev, librust-glob-0.3+default-dev, librust-itertools-0.10+default-dev, librust-log-0.4+default-dev, @@ -33,9 +33,10 @@ Maintainer: Debian Rust Maintainers <pkg-rust-maintain...@alioth-lists.debian.net> Uploaders: Ximin Luo <infini...@debian.org> -Standards-Version: 4.5.1 +Standards-Version: 4.6.1 Vcs-Git: https://salsa.debian.org/rust-team/debcargo-conf.git [src/debcargo] Vcs-Browser: https://salsa.debian.org/rust-team/debcargo-conf/tree/master/src/debcargo +X-Cargo-Crate: debcargo Rules-Requires-Root: no Package: librust-debcargo-dev @@ -45,7 +46,7 @@ ${misc:Depends}, librust-ansi-term-0.12+default-dev, librust-anyhow-1+default-dev, - librust-cargo-0.63+default-dev, + librust-cargo-0.66+default-dev, librust-chrono-0.4+default-dev, librust-clap-3+cargo-dev, librust-clap-3+default-dev, @@ -53,7 +54,7 @@ librust-env-logger-0.9+default-dev, librust-filetime-0.2+default-dev, librust-flate2-1+default-dev, - librust-git2-0.14+default-dev, + librust-git2-0.16+default-dev, librust-glob-0.3+default-dev, librust-itertools-0.10+default-dev, librust-log-0.4+default-dev, diff -Nru rust-debcargo-2.6.0/debian/copyright.debcargo.hint rust-debcargo-2.6.0/debian/copyright.debcargo.hint --- rust-debcargo-2.6.0/debian/copyright.debcargo.hint 2022-11-16 10:08:41.000000000 +0100 +++ rust-debcargo-2.6.0/debian/copyright.debcargo.hint 2023-01-12 17:33:49.000000000 +0100 @@ -18,7 +18,7 @@ be correct information so you should review and fix this before uploading to the archive. -Files: ./src/debian/licenses/AGPL-3.0 +Files: src/debian/licenses/AGPL-3.0 Copyright: 2007 Free Software Foundation, Inc. <http://fsf.org/> License: UNKNOWN-LICENSE; FIXME (overlay) Comment: @@ -27,8 +27,8 @@ Files: debian/* Copyright: - 2018-2022 Debian Rust Maintainers <pkg-rust-maintain...@alioth-lists.debian.net> - 2018-2022 Ximin Luo <infini...@debian.org> + 2018-2023 Debian Rust Maintainers <pkg-rust-maintain...@alioth-lists.debian.net> + 2018-2023 Ximin Luo <infini...@debian.org> License: MIT or Apache-2.0 License: Apache-2.0 diff -Nru rust-debcargo-2.6.0/debian/patches/series rust-debcargo-2.6.0/debian/patches/series --- rust-debcargo-2.6.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ rust-debcargo-2.6.0/debian/patches/series 2023-01-12 17:33:49.000000000 +0100 @@ -0,0 +1 @@ +update-cargo.patch diff -Nru rust-debcargo-2.6.0/debian/patches/update-cargo.patch rust-debcargo-2.6.0/debian/patches/update-cargo.patch --- rust-debcargo-2.6.0/debian/patches/update-cargo.patch 1970-01-01 01:00:00.000000000 +0100 +++ rust-debcargo-2.6.0/debian/patches/update-cargo.patch 2023-01-12 17:33:49.000000000 +0100 @@ -0,0 +1,44 @@ +Index: debcargo/Cargo.toml +=================================================================== +--- debcargo.orig/Cargo.toml ++++ debcargo/Cargo.toml +@@ -31,7 +31,7 @@ version = "0.12" + version = "1.0" + + [dependencies.cargo] +-version = "0.63" ++version = "0.66" + + [dependencies.chrono] + version = "0.4" +@@ -53,7 +53,7 @@ version = "0.2" + version = "1" + + [dependencies.git2] +-version = "0.14" ++version = "0.16" + + [dependencies.glob] + version = "0.3" +diff --git a/src/crates.rs b/src/crates.rs +index c57a61f..e5dc842 100644 +--- a/src/crates.rs ++++ b/src/crates.rs +@@ -60,7 +60,7 @@ fn hash<H: Hash>(hashable: &H) -> u64 { + } + + fn fetch_candidates(registry: &mut PackageRegistry, dep: &Dependency) -> Result<Vec<Summary>> { +- let mut summaries = match registry.query_vec(dep, false) { ++ let mut summaries = match registry.query_vec(dep, cargo::core::QueryKind::Exact) { + std::task::Poll::Ready(res) => res?, + std::task::Poll::Pending => { + registry.block_until_ready()?; +@@ -125,7 +125,7 @@ impl CrateInfo { + let dep = Dependency::parse(crate_name, None, source_id)?; + let mut package_id: Option<PackageId> = None; + loop { +- match source.query(&dep, &mut |p| package_id = Some(p.package_id())) { ++ match source.query(&dep, cargo::core::QueryKind::Exact, &mut |p| package_id = Some(p.package_id())) { + std::task::Poll::Ready(res) => { + res?; + break; diff -Nru rust-debcargo-2.6.0/debian/tests/control rust-debcargo-2.6.0/debian/tests/control --- rust-debcargo-2.6.0/debian/tests/control 2022-11-16 10:08:41.000000000 +0100 +++ rust-debcargo-2.6.0/debian/tests/control 2023-01-12 17:33:49.000000000 +0100 @@ -3,7 +3,7 @@ Depends: dh-cargo (>= 18), @ Restrictions: allow-stderr, skip-not-installable -Test-Command: /usr/share/cargo/bin/cargo-auto-test debcargo 2.6.0 --all-targets +Test-Command: /usr/share/cargo/bin/cargo-auto-test debcargo 2.6.0 --all-targets Features: test-name=librust-debcargo-dev:default Depends: dh-cargo (>= 18), @ Restrictions: allow-stderr, skip-not-installable
signature.asc
Description: PGP signature