--- Begin Message ---
Subject: |
[address@hidden: Rust CVE] |
Date: |
Sat, 22 Jan 2022 19:29:57 -0500 |
----- Forwarded message from kiasoc5@tutanota.com -----
Date: Sun, 23 Jan 2022 01:20:10 +0100 (CET)
From: kiasoc5@tutanota.com
To: guix-security@gnu.org
Subject: Rust CVE
Hi,
Rust has a new cve that is only mitigated by upgrading to Rust 1.58+.
https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
Attached is a patch that adds rust-1.58.1. It doesn't replace the default as
I'm not sure whether this should be grafted or not.
Thanks
kiasoc5
>From 753f4e9c68a7b12267989d1721e97841d9f499d0 Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@tutanota.com>
Date: Sat, 22 Jan 2022 19:10:50 -0500
Subject: [PATCH] gnu: Add rust-1.58.
* gnu/packages/rust.scm (rust-1.58): New variable.
---
gnu/packages/rust.scm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 5a6d4a5c30..c9b44da844 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -784,6 +784,10 @@ (define rust-1.57
`("procps" ,procps)
(package-native-inputs base-rust))))))
+(define rust-1.58
+ (rust-bootstrapped-package
+ rust-1.57 "1.58.1" "1iq7kj16qfpkx8gvw50d8rf7glbm6s0pj2y1qkrz7mi56vfsyfd8"))
+
;;; Note: Only the latest versions of Rust are supported and tested. The
;;; intermediate rusts are built for bootstrapping purposes and should not
;;; be relied upon. This is to ease maintenance and reduce the time
base-commit: dfc32d8d997da74a6e838b450649bd89905ffdc3
--
2.34.1
----- End forwarded message -----
--- End Message ---
--- Begin Message ---
Subject: |
Re: [bug#54439] [PATCH core-updates] gnu: rust: Use rust-1.60.0 |
Date: |
Thu, 04 Aug 2022 13:03:57 +0200 |
Jim Newsome <jim@jimnewsome.net> skriver:
> Hi, I'm new to this project and this code-review workflow, so please bear
> with me :).
Welcome! You are doing great. :-)
> It looks like there have been a few attempts here at updating Rust, including
> [Paul's], [Felipe's], and [my own].
>
> [Paul's]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=54439#5
> [Felipe's]: https://issues.guix.gnu.org/54475#0
> [my own]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=56684
Indeed. :-/
> There's some discussion in this thread about using an updated mrustc and
> using that to cut out some earlier steps of the bootstrap chain. I propose
> leaving that out for the moment. It seems both nontrivial and orthogonal, so
> IMO would make more sense as its own thread / patch-set, which could be
> reviewed and merged independently, before or after this one.
This has recently been done on the 'staging' branch courtesy of Efraim.
> I think there's some confusion about where and how tests are
> enabled/disabled. IIUC in the current baseline, they are disabled in
> `rust-1.55`, which is the first version built with an earlier "official" rust:
>
> ```
> ;; Only the final Rust is tested, not the intermediate bootstrap ones,
> ;; for performance and simplicity.
> #:tests? #f
> ```
>
> and subsequent versions inherit that via the `rust-bootstrapped-package`
> function.
>
> The latest and public version (currently `rust-1.57`) re-enables most of the
> tests and fixes up some things so that the tests pass.
>
> So I think the approach here when adding versions is to change the current
> latest (1.57) to the simpler form that keeps tests disabled, add any
> additional necessary steps, and have the test-reenabling code again in the
> latest version.
That is my understanding too.
> 2 patches included:
>
> * First is a pure refactor to decouple "rust-1.57" from "rust" to help avoid
> confusion in the future.
> * Second adds 1.58, 1.59, and 1.60, and makes rust-1.60 the new rust.
>
> In the latter patch I also tried building each version with a Rust 2 versions
> back instead of just 1 version back, to see if any can be left out.
> Unfortunately they couldn't. I'm including some of the errors in the comments
> for reference.
LGTM, I've pushed both patches to the 'staging' branch since Rust was
already patched there and it has not started evaluating yet.
Note: I also added a copyright line for you, hope that was okay.
Closing the issue, but feel free to continue the discussion.
signature.asc
Description: PGP signature
--- End Message ---