[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Efraim Flashner]

* gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
compatable rust over newer releases when building icecat.
---
 gnu/packages/gnuzilla.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 653cee93d..f15a51163 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
-;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2017 Nils Gillmann <ng0@n0.is>
@@ -587,8 +587,9 @@ security standards.")
        ("zip" ,zip)
        ("zlib" ,zlib)))
     (native-inputs
-     `(("rust" ,rust)
-       ("cargo" ,rust "cargo")
+      ;; Icecat 60 checkes for rust>=1.24
+     `(("rust" ,rust-1.24)
+       ("cargo" ,rust-1.24 "cargo")
        ("perl" ,perl)
        ("python" ,python-2) ; Python 3 not supported
        ("python2-pysqlite" ,python2-pysqlite)
-- 
2.19.0

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Ludovic Courtès]

Hi Efraim,

Efraim Flashner <efraim@flashner.co.il> skribis:

> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> compatable rust over newer releases when building icecat.

[...]

> +      ;; Icecat 60 checkes for rust>=1.24
> +     `(("rust" ,rust-1.24)
> +       ("cargo" ,rust-1.24 "cargo")

I suppose the goal is to reduce the build chain, right?

Mark, Danny: WDYT?

Thanks,
Ludo’.

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Danny Milosavljevic]

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

On Sat, 29 Sep 2018 23:55:36 +0200
ludo@gnu.org (Ludovic Courtès) wrote:

> Hi Efraim,
> 
> Efraim Flashner <efraim@flashner.co.il> skribis:
> 
> > * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> > compatable rust over newer releases when building icecat.  
> 
> [...]
> 
> > +      ;; Icecat 60 checkes for rust>=1.24
> > +     `(("rust" ,rust-1.24)
> > +       ("cargo" ,rust-1.24 "cargo")  
> 
> I suppose the goal is to reduce the build chain, right?
> 
> Mark, Danny: WDYT?

I think it's a good idea.

Eventually, the rust bootchain will change to mrustc -> rust@1.25.0 -> ...,
but we can cross that bridge when we come to it.

I'm not sure about Rust's policy with regard to CVEs.  Are those patched
in old releases, too?

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Mark H Weaver]

Danny Milosavljevic <dannym@scratchpost.org> writes:

> On Sat, 29 Sep 2018 23:55:36 +0200
> ludo@gnu.org (Ludovic Courtès) wrote:
>
>> Hi Efraim,
>> 
>> Efraim Flashner <efraim@flashner.co.il> skribis:
>> 
>> > * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>> > compatable rust over newer releases when building icecat.  
>> 
>> [...]
>> 
>> > +      ;; Icecat 60 checkes for rust>=1.24
>> > +     `(("rust" ,rust-1.24)
>> > +       ("cargo" ,rust-1.24 "cargo")  
>> 
>> I suppose the goal is to reduce the build chain, right?
>> 
>> Mark, Danny: WDYT?
>
> I think it's a good idea.
>
> Eventually, the rust bootchain will change to mrustc -> rust@1.25.0 -> ...,
> but we can cross that bridge when we come to it.
>
> I'm not sure about Rust's policy with regard to CVEs.  Are those patched
> in old releases, too?

Indeed, that's my main concern.  Might the older Rust compilers have
bugs that could lead to security flaws in IceCat?

Here's another possible approach to mitigate the cost of building this
long chain of Rust compilers: perhaps older versions of Rust could use
only minimal and highly stable inputs, such that they would be built
only once per core-updates cycle.  Thoughts?

       Mark

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Efraim Flashner]

On September 29, 2018 9:55:36 PM UTC, ludo@gnu.org wrote:
>Hi Efraim,
>
>Efraim Flashner <efraim@flashner.co.il> skribis:
>
>> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>> compatable rust over newer releases when building icecat.
>
>[...]
>
>> +      ;; Icecat 60 checkes for rust>=1.24
>> +     `(("rust" ,rust-1.24)
>> +       ("cargo" ,rust-1.24 "cargo")
>
>I suppose the goal is to reduce the build chain, right?

Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.

>
>Mark, Danny: WDYT?
>
>Thanks,
>Ludo’.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Ludovic Courtès]

Mark H Weaver <mhw@netris.org> skribis:

> Danny Milosavljevic <dannym@scratchpost.org> writes:
>
>> On Sat, 29 Sep 2018 23:55:36 +0200
>> ludo@gnu.org (Ludovic Courtès) wrote:
>>
>>> Hi Efraim,
>>> 
>>> Efraim Flashner <efraim@flashner.co.il> skribis:
>>> 
>>> > * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>>> > compatable rust over newer releases when building icecat.  
>>> 
>>> [...]
>>> 
>>> > +      ;; Icecat 60 checkes for rust>=1.24
>>> > +     `(("rust" ,rust-1.24)
>>> > +       ("cargo" ,rust-1.24 "cargo")  
>>> 
>>> I suppose the goal is to reduce the build chain, right?
>>> 
>>> Mark, Danny: WDYT?
>>
>> I think it's a good idea.
>>
>> Eventually, the rust bootchain will change to mrustc -> rust@1.25.0 -> ...,
>> but we can cross that bridge when we come to it.
>>
>> I'm not sure about Rust's policy with regard to CVEs.  Are those patched
>> in old releases, too?
>
> Indeed, that's my main concern.  Might the older Rust compilers have
> bugs that could lead to security flaws in IceCat?

I suppose vulnerabilities are more likely to be present in Rust’s
standard library than in the compiler, but the problem remains.  Given
the fast development pace, I’d be surprised if past releases received
security fixes.

> Here's another possible approach to mitigate the cost of building this
> long chain of Rust compilers: perhaps older versions of Rust could use
> only minimal and highly stable inputs, such that they would be built
> only once per core-updates cycle.  Thoughts?

If it’s possible, that’d be great.

Thanks,
Ludo’.

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Nils Gillmann]

Efraim Flashner transcribed 782 bytes:
> 
> 
> On September 29, 2018 9:55:36 PM UTC, ludo@gnu.org wrote:
> >Hi Efraim,
> >
> >Efraim Flashner <efraim@flashner.co.il> skribis:
> >
> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> >> compatable rust over newer releases when building icecat.
> >
> >[...]
> >
> >> +      ;; Icecat 60 checkes for rust>=1.24
> >> +     `(("rust" ,rust-1.24)
> >> +       ("cargo" ,rust-1.24 "cargo")
> >
> >I suppose the goal is to reduce the build chain, right?
> 
> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.

It is convenient (less than 36 hours build, build only one version of
rust), but I have to second the doubt about CVEs.
Mark, have you considered asking Mozilla about their recommended
strategy wrt chosing the right rust for a Firefox-based browser
building and implications of using an older rust for crates already
in Firefox?

If not, I will ask Firefox/Mozilla development and Rust community
tomorrow.

> >
> >Mark, Danny: WDYT?
> >
> >Thanks,
> >Ludo’.
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> 
> 
> 

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Ludovic Courtès]

Nils Gillmann <ng0@n0.is> skribis:

> Efraim Flashner transcribed 782 bytes:
>> 
>> 
>> On September 29, 2018 9:55:36 PM UTC, ludo@gnu.org wrote:
>> >Hi Efraim,
>> >
>> >Efraim Flashner <efraim@flashner.co.il> skribis:
>> >
>> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>> >> compatable rust over newer releases when building icecat.
>> >
>> >[...]
>> >
>> >> +      ;; Icecat 60 checkes for rust>=1.24
>> >> +     `(("rust" ,rust-1.24)
>> >> +       ("cargo" ,rust-1.24 "cargo")
>> >
>> >I suppose the goal is to reduce the build chain, right?
>> 
>> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
>
> It is convenient (less than 36 hours build, build only one version of
> rust), but I have to second the doubt about CVEs.
> Mark, have you considered asking Mozilla about their recommended
> strategy wrt chosing the right rust for a Firefox-based browser
> building and implications of using an older rust for crates already
> in Firefox?

I suspect Mozilla is not paying attention to bootstrapping issues the
way we do, so they’d probably recommend just using the latest Rust
version.

Ludo’.

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Nils Gillmann]

Ludovic Courtès transcribed 1.2K bytes:
> Nils Gillmann <ng0@n0.is> skribis:
> 
> > Efraim Flashner transcribed 782 bytes:
> >> 
> >> 
> >> On September 29, 2018 9:55:36 PM UTC, ludo@gnu.org wrote:
> >> >Hi Efraim,
> >> >
> >> >Efraim Flashner <efraim@flashner.co.il> skribis:
> >> >
> >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> >> >> compatable rust over newer releases when building icecat.
> >> >
> >> >[...]
> >> >
> >> >> +      ;; Icecat 60 checkes for rust>=1.24
> >> >> +     `(("rust" ,rust-1.24)
> >> >> +       ("cargo" ,rust-1.24 "cargo")
> >> >
> >> >I suppose the goal is to reduce the build chain, right?
> >> 
> >> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
> >
> > It is convenient (less than 36 hours build, build only one version of
> > rust), but I have to second the doubt about CVEs.
> > Mark, have you considered asking Mozilla about their recommended
> > strategy wrt chosing the right rust for a Firefox-based browser
> > building and implications of using an older rust for crates already
> > in Firefox?
> 
> I suspect Mozilla is not paying attention to bootstrapping issues the
> way we do, so they’d probably recommend just using the latest Rust
> version.
> 
> Ludo’.

Turns out they have it documented: https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox
for 60:
Firefox Version Requires        Rust release date       Firefox release date
Firefox 60      Rust 1.24.0     2018 February 15        2018 May 9

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Joe Hillenbrand]

Rust 1.24.0 suffers from this CVE
https://www.cvedetails.com/cve/CVE-2018-1000622/

But I don't think it's relevant to building Firefox since it only
effects rustdoc plugins.
On Tue, Oct 2, 2018 at 2:47 AM Nils Gillmann <ng0@n0.is> wrote:
>
> Ludovic Courtès transcribed 1.2K bytes:
> > Nils Gillmann <ng0@n0.is> skribis:
> >
> > > Efraim Flashner transcribed 782 bytes:
> > >>
> > >>
> > >> On September 29, 2018 9:55:36 PM UTC, ludo@gnu.org wrote:
> > >> >Hi Efraim,
> > >> >
> > >> >Efraim Flashner <efraim@flashner.co.il> skribis:
> > >> >
> > >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> > >> >> compatable rust over newer releases when building icecat.
> > >> >
> > >> >[...]
> > >> >
> > >> >> +      ;; Icecat 60 checkes for rust>=1.24
> > >> >> +     `(("rust" ,rust-1.24)
> > >> >> +       ("cargo" ,rust-1.24 "cargo")
> > >> >
> > >> >I suppose the goal is to reduce the build chain, right?
> > >>
> > >> Right. Currently each round of rust takes about 12 hours on my fast aarch64 board. This built successfully on aarch64 and ng0 was able to build and test it on x86_64.
> > >
> > > It is convenient (less than 36 hours build, build only one version of
> > > rust), but I have to second the doubt about CVEs.
> > > Mark, have you considered asking Mozilla about their recommended
> > > strategy wrt chosing the right rust for a Firefox-based browser
> > > building and implications of using an older rust for crates already
> > > in Firefox?
> >
> > I suspect Mozilla is not paying attention to bootstrapping issues the
> > way we do, so they’d probably recommend just using the latest Rust
> > version.
> >
> > Ludo’.
>
> Turns out they have it documented: https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox
> for 60:
> Firefox Version Requires        Rust release date       Firefox release date
> Firefox 60      Rust 1.24.0     2018 February 15        2018 May 9
>
>
>

[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Mark H Weaver]

Nils Gillmann <ng0@n0.is> writes:

> Ludovic Courtès transcribed 1.2K bytes:
>> Nils Gillmann <ng0@n0.is> skribis:
>> 
>> > Efraim Flashner transcribed 782 bytes:
>> >> 
>> >> 
>> >> On September 29, 2018 9:55:36 PM UTC, ludo@gnu.org wrote:
>> >> >Hi Efraim,
>> >> >
>> >> >Efraim Flashner <efraim@flashner.co.il> skribis:
>> >> >
>> >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
>> >> >> compatable rust over newer releases when building icecat.
>> >> >
>> >> >[...]
>> >> >
>> >> >> +      ;; Icecat 60 checkes for rust>=1.24
>> >> >> +     `(("rust" ,rust-1.24)
>> >> >> +       ("cargo" ,rust-1.24 "cargo")
>> >> >
>> >> >I suppose the goal is to reduce the build chain, right?
>> >> 
>> >> Right. Currently each round of rust takes about 12 hours on my
>> >> fast aarch64 board. This built successfully on aarch64 and ng0
>> >> was able to build and test it on x86_64.
>> >
>> > It is convenient (less than 36 hours build, build only one version of
>> > rust), but I have to second the doubt about CVEs.
>> > Mark, have you considered asking Mozilla about their recommended
>> > strategy wrt chosing the right rust for a Firefox-based browser
>> > building and implications of using an older rust for crates already
>> > in Firefox?
>> 
>> I suspect Mozilla is not paying attention to bootstrapping issues the
>> way we do, so they’d probably recommend just using the latest Rust
>> version.
>> 
>> Ludo’.
>
> Turns out they have it documented: https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox
> for 60:
> Firefox Version Requires        Rust release date       Firefox release date
> Firefox 60      Rust 1.24.0     2018 February 15        2018 May 9

I'm okay with switching our IceCat package to use rust-1.24.

     Thanks,
       Mark

bug#32834: [PATCH] gnu: icecat: Build with rust-1.24.

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 265 bytes --]

Pushed as 89f9df6cfd75d5180bd135c2b14fbfdc0eb6171b

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]