From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45525) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g6hNr-0000p9-JW for guix-patches@gnu.org; Sun, 30 Sep 2018 15:28:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g6hNq-0006gS-Tp for guix-patches@gnu.org; Sun, 30 Sep 2018 15:28:03 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:56005) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1g6hNq-0006gD-Pg for guix-patches@gnu.org; Sun, 30 Sep 2018 15:28:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1g6hNq-0003AX-IO for guix-patches@gnu.org; Sun, 30 Sep 2018 15:28:02 -0400 Subject: [bug#32834] [PATCH] gnu: icecat: Build with rust-1.24. Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20180925044904.23530-1-efraim@flashner.co.il> <87lg7kvuhz.fsf@gnu.org> <20180930005515.6860d2a4@scratchpost.org> <87wor34qnj.fsf@netris.org> Date: Sun, 30 Sep 2018 21:27:33 +0200 In-Reply-To: <87wor34qnj.fsf@netris.org> (Mark H. Weaver's message of "Sat, 29 Sep 2018 23:20:48 -0400") Message-ID: <871s9avl96.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Mark H Weaver Cc: 32834@debbugs.gnu.org Mark H Weaver skribis: > Danny Milosavljevic writes: > >> On Sat, 29 Sep 2018 23:55:36 +0200 >> ludo@gnu.org (Ludovic Court=C3=A8s) wrote: >> >>> Hi Efraim, >>>=20 >>> Efraim Flashner skribis: >>>=20 >>> > * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest >>> > compatable rust over newer releases when building icecat.=20=20 >>>=20 >>> [...] >>>=20 >>> > + ;; Icecat 60 checkes for rust>=3D1.24 >>> > + `(("rust" ,rust-1.24) >>> > + ("cargo" ,rust-1.24 "cargo")=20=20 >>>=20 >>> I suppose the goal is to reduce the build chain, right? >>>=20 >>> Mark, Danny: WDYT? >> >> I think it's a good idea. >> >> Eventually, the rust bootchain will change to mrustc -> rust@1.25.0 -> .= .., >> but we can cross that bridge when we come to it. >> >> I'm not sure about Rust's policy with regard to CVEs. Are those patched >> in old releases, too? > > Indeed, that's my main concern. Might the older Rust compilers have > bugs that could lead to security flaws in IceCat? I suppose vulnerabilities are more likely to be present in Rust=E2=80=99s standard library than in the compiler, but the problem remains. Given the fast development pace, I=E2=80=99d be surprised if past releases receiv= ed security fixes. > Here's another possible approach to mitigate the cost of building this > long chain of Rust compilers: perhaps older versions of Rust could use > only minimal and highly stable inputs, such that they would be built > only once per core-updates cycle. Thoughts? If it=E2=80=99s possible, that=E2=80=99d be great. Thanks, Ludo=E2=80=99.