Bug#1028566: marked as done (unblock: rust-debcargo/2.6.0-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 13 Jan 2023 22:24:00 +0100
with message-id <404659c1-5081-962e-fa2c-3f67968ce9f1@debian.org>
and subject line Re: Bug#1028566: unblock: rust-debcargo/2.6.0-2
has caused the Debian Bug report #1028566,
regarding unblock: rust-debcargo/2.6.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1028566: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028566
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: rust-debcargo/2.6.0-2
• From: Fabian Grünbichler <debian@fabian.gruenbichler.email>
• Date: Thu, 12 Jan 2023 22:32:02 +0100
• Message-id: <[🔎] 20230112213202.rl4ca4fubbvbvucb@bla>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: rust-debcargo@packages.debian.org, pkg-rust-maintainers@alioth-lists.debian.net
Control: affects -1 + src:rust-debcargo

Please unblock package rust-debcargo

[ Reason ]
This update was supposed to happen before the toolchain freeze, but
unfortunately was blocked by a last-minute transition within the rust-*
ecosystem.

The update sync the used cargo library (src:rust-cargo) with that of
cargo the tool (src:cargo), including a fix for CVE-2022-46176.

debcargo itself is not really a toolchain package in the classical
sense, even though it is listed as part of the toolchain package set -
it is only used to prepare (source) packages for uploading, not involved
in building them.

[ Impact ]
without this update, cargo the tool used for building and debcargo the
tool which is used for preparing packages would use a different cargo
version, which might introduce subtle bugs. debcargo would be affected
by a MITM CVE that is not trivial to backport to the version currently
in testing, since the fix requires updating dependencies to support the
required interfaces.

[ Tests ]
debcargo itself is only slightly adapted to the new cargo library
version. the same version with the same adaptation has seen some
downstream usage in a derivative of Debian based on Debian Bullseye.

[ Risks ]
the main changes are actually in dependencies of src:rust-debcargo,
mainly src:rust-cargo, since debcargo is statically linked with it.

src:cargo 0.66 is already in testing (without the CVE fix, which has a
separate unblock request) and has extensive test coverage. the code is
identical to src:rust-cargo, they mainly differ in the resulting binary
packages and the use of regular rust-* dependencies vs. vendored ones.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028545 contains the
unblock request for adding the CVE fix to src:cargo.

this unblock request would require a whole set of rust-* packages to
migrate together, all of them have already been uploaded to unstable
(some are still building at this moment).

unblock rust-debcargo/2.6.0-2

diff -Nru rust-debcargo-2.6.0/debian/cargo-checksum.json rust-debcargo-2.6.0/debian/cargo-checksum.json
--- rust-debcargo-2.6.0/debian/cargo-checksum.json	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/cargo-checksum.json	2023-01-12 17:33:49.000000000 +0100
@@ -1 +1 @@
-{"package":"e828d0c0708afcb4f42db47f81f226afc8cc66c518c8cf9a491578fafb41eb24","files":{}}
+{"package":"Could not get crate checksum","files":{}}
diff -Nru rust-debcargo-2.6.0/debian/changelog rust-debcargo-2.6.0/debian/changelog
--- rust-debcargo-2.6.0/debian/changelog	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/changelog	2023-01-12 17:33:49.000000000 +0100
@@ -1,3 +1,10 @@
+rust-debcargo (2.6.0-2) unstable; urgency=medium
+
+  * Team upload.
+  * Rebuild debcargo 2.6.0 with cargo 0.66.0
+
+ -- Fabian Gruenbichler <debian@fabian.gruenbichler.email>  Thu, 12 Jan 2023 16:33:49 +0000
+
 rust-debcargo (2.6.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-debcargo-2.6.0/debian/control rust-debcargo-2.6.0/debian/control
--- rust-debcargo-2.6.0/debian/control	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/control	2023-01-12 17:33:49.000000000 +0100
@@ -8,7 +8,7 @@
  libstd-rust-dev,
  librust-ansi-term-0.12+default-dev,
  librust-anyhow-1+default-dev,
- librust-cargo-0.63+default-dev,
+ librust-cargo-0.66+default-dev,
  librust-chrono-0.4+default-dev,
  librust-clap-3+cargo-dev,
  librust-clap-3+default-dev,
@@ -16,7 +16,7 @@
  librust-env-logger-0.9+default-dev,
  librust-filetime-0.2+default-dev,
  librust-flate2-1+default-dev,
- librust-git2-0.14+default-dev,
+ librust-git2-0.16+default-dev,
  librust-glob-0.3+default-dev,
  librust-itertools-0.10+default-dev,
  librust-log-0.4+default-dev,
@@ -33,9 +33,10 @@
 Maintainer: Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
 Uploaders:
  Ximin Luo <infinity0@debian.org>
-Standards-Version: 4.5.1
+Standards-Version: 4.6.1
 Vcs-Git: https://salsa.debian.org/rust-team/debcargo-conf.git [src/debcargo]
 Vcs-Browser: https://salsa.debian.org/rust-team/debcargo-conf/tree/master/src/debcargo
+X-Cargo-Crate: debcargo
 Rules-Requires-Root: no
 
 Package: librust-debcargo-dev
@@ -45,7 +46,7 @@
  ${misc:Depends},
  librust-ansi-term-0.12+default-dev,
  librust-anyhow-1+default-dev,
- librust-cargo-0.63+default-dev,
+ librust-cargo-0.66+default-dev,
  librust-chrono-0.4+default-dev,
  librust-clap-3+cargo-dev,
  librust-clap-3+default-dev,
@@ -53,7 +54,7 @@
  librust-env-logger-0.9+default-dev,
  librust-filetime-0.2+default-dev,
  librust-flate2-1+default-dev,
- librust-git2-0.14+default-dev,
+ librust-git2-0.16+default-dev,
  librust-glob-0.3+default-dev,
  librust-itertools-0.10+default-dev,
  librust-log-0.4+default-dev,
diff -Nru rust-debcargo-2.6.0/debian/copyright.debcargo.hint rust-debcargo-2.6.0/debian/copyright.debcargo.hint
--- rust-debcargo-2.6.0/debian/copyright.debcargo.hint	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/copyright.debcargo.hint	2023-01-12 17:33:49.000000000 +0100
@@ -18,7 +18,7 @@
  be correct information so you should review and fix this before uploading to
  the archive.
 
-Files: ./src/debian/licenses/AGPL-3.0
+Files: src/debian/licenses/AGPL-3.0
 Copyright: 2007 Free Software Foundation, Inc. <http://fsf.org/>
 License: UNKNOWN-LICENSE; FIXME (overlay)
 Comment:
@@ -27,8 +27,8 @@
 
 Files: debian/*
 Copyright:
- 2018-2022 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
- 2018-2022 Ximin Luo <infinity0@debian.org>
+ 2018-2023 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
+ 2018-2023 Ximin Luo <infinity0@debian.org>
 License: MIT or Apache-2.0
 
 License: Apache-2.0
diff -Nru rust-debcargo-2.6.0/debian/patches/series rust-debcargo-2.6.0/debian/patches/series
--- rust-debcargo-2.6.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ rust-debcargo-2.6.0/debian/patches/series	2023-01-12 17:33:49.000000000 +0100
@@ -0,0 +1 @@
+update-cargo.patch
diff -Nru rust-debcargo-2.6.0/debian/patches/update-cargo.patch rust-debcargo-2.6.0/debian/patches/update-cargo.patch
--- rust-debcargo-2.6.0/debian/patches/update-cargo.patch	1970-01-01 01:00:00.000000000 +0100
+++ rust-debcargo-2.6.0/debian/patches/update-cargo.patch	2023-01-12 17:33:49.000000000 +0100
@@ -0,0 +1,44 @@
+Index: debcargo/Cargo.toml
+===================================================================
+--- debcargo.orig/Cargo.toml
++++ debcargo/Cargo.toml
+@@ -31,7 +31,7 @@ version = "0.12"
+ version = "1.0"
+ 
+ [dependencies.cargo]
+-version = "0.63"
++version = "0.66"
+ 
+ [dependencies.chrono]
+ version = "0.4"
+@@ -53,7 +53,7 @@ version = "0.2"
+ version = "1"
+ 
+ [dependencies.git2]
+-version = "0.14"
++version = "0.16"
+ 
+ [dependencies.glob]
+ version = "0.3"
+diff --git a/src/crates.rs b/src/crates.rs
+index c57a61f..e5dc842 100644
+--- a/src/crates.rs
++++ b/src/crates.rs
+@@ -60,7 +60,7 @@ fn hash<H: Hash>(hashable: &H) -> u64 {
+ }
+ 
+ fn fetch_candidates(registry: &mut PackageRegistry, dep: &Dependency) -> Result<Vec<Summary>> {
+-    let mut summaries = match registry.query_vec(dep, false) {
++    let mut summaries = match registry.query_vec(dep, cargo::core::QueryKind::Exact) {
+         std::task::Poll::Ready(res) => res?,
+         std::task::Poll::Pending => {
+             registry.block_until_ready()?;
+@@ -125,7 +125,7 @@ impl CrateInfo {
+                     let dep = Dependency::parse(crate_name, None, source_id)?;
+                     let mut package_id: Option<PackageId> = None;
+                     loop {
+-                        match source.query(&dep, &mut |p| package_id = Some(p.package_id())) {
++                        match source.query(&dep, cargo::core::QueryKind::Exact, &mut |p| package_id = Some(p.package_id())) {
+                             std::task::Poll::Ready(res) => {
+                                 res?;
+                                 break;
diff -Nru rust-debcargo-2.6.0/debian/tests/control rust-debcargo-2.6.0/debian/tests/control
--- rust-debcargo-2.6.0/debian/tests/control	2022-11-16 10:08:41.000000000 +0100
+++ rust-debcargo-2.6.0/debian/tests/control	2023-01-12 17:33:49.000000000 +0100
@@ -3,7 +3,7 @@
 Depends: dh-cargo (>= 18), @
 Restrictions: allow-stderr, skip-not-installable
 
-Test-Command: /usr/share/cargo/bin/cargo-auto-test debcargo 2.6.0 --all-targets 
+Test-Command: /usr/share/cargo/bin/cargo-auto-test debcargo 2.6.0 --all-targets
 Features: test-name=librust-debcargo-dev:default
 Depends: dh-cargo (>= 18), @
 Restrictions: allow-stderr, skip-not-installable

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: Fabian Grünbichler <debian@fabian.gruenbichler.email>, 1028566-done@bugs.debian.org
• Subject: Re: Bug#1028566: unblock: rust-debcargo/2.6.0-2
• From: Paul Gevers <elbrus@debian.org>
• Date: Fri, 13 Jan 2023 22:24:00 +0100
• Message-id: <404659c1-5081-962e-fa2c-3f67968ce9f1@debian.org>
• In-reply-to: <[🔎] 20230112213202.rl4ca4fubbvbvucb@bla>
• References: <[🔎] 20230112213202.rl4ca4fubbvbvucb@bla>

Hi Fabian,

On 12-01-2023 22:32, Fabian Grünbichler wrote:

Please unblock package rust-debcargo

At this stage, I was expecting an unblock request to be an exception request for upload of a package listed in the toolchain list [1]. However, you already uploaded the package. As you can read in our freeze policy [2], there is no automatic migration blocking in place. Instead we ask maintainers of the toolchain list packages to *not upload* to unstable (as package are build in unstable, so "the damage" is done already) unless they have an ACK.

Because the package *should* be able to migrate on their own, I close this bug report, as there's nothing we need to do now. For next time, please hold off uploading toolchain list packages to unstable until you have a go from us.

Please also contact us again if there's issues with the packages and they fail to migrate (missing builds, etc).

Paul

[1] https://release.debian.org/testing/essential-and-build-essential.txt
[2] https://release.debian.org/testing/freeze_policy.html#transition

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---