From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40986) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g7ZnS-0008Iq-8b for guix-patches@gnu.org; Wed, 03 Oct 2018 01:34:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g7ZnN-0004ol-Vy for guix-patches@gnu.org; Wed, 03 Oct 2018 01:34:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:58822) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1g7ZnN-0004oh-SC for guix-patches@gnu.org; Wed, 03 Oct 2018 01:34:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1g7ZnN-0003KT-OD for guix-patches@gnu.org; Wed, 03 Oct 2018 01:34:01 -0400 Subject: [bug#32834] [PATCH] gnu: icecat: Build with rust-1.24. Resent-Message-ID: MIME-Version: 1.0 References: <20180925044904.23530-1-efraim@flashner.co.il> <87lg7kvuhz.fsf@gnu.org> <4F179DDB-1E56-44ED-8F7D-A088BB30905E@flashner.co.il> <20181001090338.aflixd7cezx2sicp@abyayala> <87r2h8so8b.fsf@gnu.org> <20181002094713.wicniziznzna24fv@abyayala> In-Reply-To: <20181002094713.wicniziznzna24fv@abyayala> From: Joe Hillenbrand Date: Tue, 2 Oct 2018 20:48:01 -0700 Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: ng0@n0.is Cc: mhw@netris.org, 32834@debbugs.gnu.org Rust 1.24.0 suffers from this CVE https://www.cvedetails.com/cve/CVE-2018-1000622/ But I don't think it's relevant to building Firefox since it only effects rustdoc plugins. On Tue, Oct 2, 2018 at 2:47 AM Nils Gillmann wrote: > > Ludovic Court=C3=A8s transcribed 1.2K bytes: > > Nils Gillmann skribis: > > > > > Efraim Flashner transcribed 782 bytes: > > >> > > >> > > >> On September 29, 2018 9:55:36 PM UTC, ludo@gnu.org wrote: > > >> >Hi Efraim, > > >> > > > >> >Efraim Flashner skribis: > > >> > > > >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the olde= st > > >> >> compatable rust over newer releases when building icecat. > > >> > > > >> >[...] > > >> > > > >> >> + ;; Icecat 60 checkes for rust>=3D1.24 > > >> >> + `(("rust" ,rust-1.24) > > >> >> + ("cargo" ,rust-1.24 "cargo") > > >> > > > >> >I suppose the goal is to reduce the build chain, right? > > >> > > >> Right. Currently each round of rust takes about 12 hours on my fast = aarch64 board. This built successfully on aarch64 and ng0 was able to build= and test it on x86_64. > > > > > > It is convenient (less than 36 hours build, build only one version of > > > rust), but I have to second the doubt about CVEs. > > > Mark, have you considered asking Mozilla about their recommended > > > strategy wrt chosing the right rust for a Firefox-based browser > > > building and implications of using an older rust for crates already > > > in Firefox? > > > > I suspect Mozilla is not paying attention to bootstrapping issues the > > way we do, so they=E2=80=99d probably recommend just using the latest R= ust > > version. > > > > Ludo=E2=80=99. > > Turns out they have it documented: https://wiki.mozilla.org/Rust_Update_P= olicy_for_Firefox > for 60: > Firefox Version Requires Rust release date Firefox release d= ate > Firefox 60 Rust 1.24.0 2018 February 15 2018 May 9 > > >