1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1069207: src:rust-base64: rust-base64 0.22.0 is available (upgrade

    From Daniel Kahn Gillmor@21:1/5 to All on Thu Apr 18 02:10:01 2024
    Source: rust-base64
    Version: 0.21.7-1
    Severity: wishlist
    X-Debbugs-Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

    rust-base64 has a new upstream version 0.22.0 available, with the
    following subtle changes to the API since 0.21.7:


    - `DecodeSliceError::OutputSliceTooSmall` is now conservative rather
    than precise. That is, the error will only occur if the decoded
    output _cannot_ fit, meaning that `Engine::decode_slice` can now be
    used with exactly-sized output slices. As part of this,
    `Engine::internal_decode` now returns `DecodeSliceError` instead of
    `DecodeError`, but that is not expected to affect any external
    callers.

    - `DecodeError::InvalidLength` now refers specifically to the _number of
    valid symbols_ being invalid (i.e. `len % 4 == 1`), rather than just
    the number of input bytes. This avoids confusing scenarios when based
    on interpretation you could make a case for either `InvalidLength` or
    `InvalidByte` being appropriate.


    In debian, we have a bunch of different packages that depend on 0.21:

    Versions of rdeps of rust-base64 in unstable, that also exist in testing:
    librust-alacritty-terminal-dev 0.19.1-7 depends on librust-base64-0.21+default-dev,
    librust-bson-dev 2.10.0-1 depends on librust-base64-0.21+default-dev,
    librust-cargo-dev 0.70.1-2 depends on librust-base64-0.21+default-dev,
    librust-charset-dev 0.1.3-1+b1 depends on librust-base64-0.21+default-dev,
    librust-cookie-dev 0.18.0-1 depends on librust-base64-0.21+default-dev (>= 0.21.4-~~),
    librust-embed-doc-image-dev 0.1.4-1+b1 depends on librust-base64-0.21+default-dev,
    librust-fernet-dev 0.2.0+really0.1.4-3 depends on librust-base64-0.21+default-dev,
    librust-gix-transport-dev 0.42.0-1 depends on librust-base64-0.21+default-dev,
    librust-headers-dev 0.3.9-1+b1 depends on librust-base64-0.21+default-dev,
    librust-http-auth-dev 0.1.8-1+b1 depends on librust-base64-0.21+default-dev,
    librust-jsonwebtoken-dev 8.3.0-4 depends on librust-base64-0.21+default-dev,
    librust-oauth2-dev 4.4.1-2 depends on librust-base64-0.21+default-dev,
    librust-openssh-keys-dev 0.6.2-1+b1 depends on librust-base64-0.21+default-dev,
    librust-parsec-service-dev 1.3.0-5+b1 depends on librust-base64-0.21+default-dev,
    librust-parsec-tool-dev 0.7.0-4 depends on librust-base64-0.21+default-dev,
    librust-pem-dev 3.0.3-2 depends on librust-base64-0.21+alloc-dev, librust-base64-0.21+std-dev,
    librust-picky-asn1-x509-dev 0.10.0-1+b1 depends on librust-base64-0.21+default-dev,
    librust-plist-dev 1.6.1-1 depends on librust-base64-0.21+default-dev,
    librust-postgres-protocol-dev 0.6.6-2 depends on librust-base64-0.21+default-dev,
    librust-reqwest-dev 0.11.24-3 depends on librust-base64-0.21+default-dev,
    librust-rfc2047-decoder-dev 0.2.2-1+b1 depends on librust-base64-0.21+default-dev,
    librust-ripasso-dev 0.6.5-2 depends on librust-base64-0.21+default-dev (>= 0.21.2-~~),
    librust-ron-dev 0.7.1-3 depends on librust-base64-0.21+default-dev,
    librust-ruma-common-dev 0.10.5-4 depends on librust-base64-0.21+default-dev,
    librust-rust-argon2-dev 1.0.0-3 depends on librust-base64-0.21+default-dev,
    librust-rustls-pemfile-dev 1.0.3-1 depends on librust-base64-0.21+default-dev,
    librust-sequoia-autocrypt-dev 0.25.1-1 depends on librust-base64-0.21+default-dev,
    librust-sequoia-net-dev 0.28.0-1 depends on librust-base64-0.21+default-dev,
    librust-sequoia-openpgp-dev 1.19.0-1 depends on librust-base64-0.21+default-dev,
    librust-serde-with-dev 3.4.0-2 depends on librust-base64-0.21+alloc-dev, librust-base64-0.21-dev,
    librust-sqlx-postgres-dev 0.7.3-1 depends on librust-base64-0.21+std-dev,
    librust-sshkeys-dev 0.3.2-1+b1 depends on librust-base64-0.21+default-dev,
    librust-totp-rs-dev 3.0.1-3 depends on librust-base64-0.21+default-dev,
    librust-tower-http-dev 0.4.4-3 depends on librust-base64-0.21+default-dev,
    librust-ureq-dev 2.9.1-3 depends on librust-base64-0.21+default-dev,
    librust-wycheproof-dev 0.5.0-1+b1 depends on librust-base64-0.21+default-dev,

    Source packages in unstable whose autopkgtests are triggered by rust-base64:
    rust-native-tls 0.2.11-2 triggered by librust-base64-dev=0.21.7-1
    rust-octocrab 0.31.2-1 triggered by librust-base64-dev=0.21.7-1
    rust-picky-asn1-der 0.4.0-1 triggered by librust-base64-dev=0.21.7-1
    rust-psa-crypto 0.9.2-3 triggered by librust-base64-dev=0.21.7-1
    rust-rustls 0.21.10-1 triggered by librust-base64-dev=0.21.7-1
    rust-rustls-webpki 0.101.7-2.1 triggered by librust-base64-dev=0.21.7-1
    rust-ttf-parser 0.19.1-2 triggered by librust-base64-dev=0.21.7-1
    rust-webpki 0.22.4-2 triggered by librust-base64-dev=0.21.7-1
    rust-wu-diff 0.1.2-1 triggered by librust-base64-dev=0.21.7-1



    some of them, like rust-sequoia 1.20.0, have been tested successfully by upstream against 0.22.0, but upgrading directly to 0.22.0 could break
    the build of all of these packages.

    So, either we need to:

    - do a mass-testing event, patching the Cargo.toml of each of these
    reverse dependencies; if all the relevant tests succeed, then commit
    all these changes at once and push them into unstable as a batch.

    or:

    - upload a versioned rust-base64-0.21 that is capable of satisfying the
    existing reverse dependencies, and then upload 0.22 as the standad
    rust-base64. Then we can at our leisure fix each reverse dependency
    (hopefully pushing fixes into the upstream projects)

    The latter approach sounds more more plausible to me in terms of getting
    the ball moving sooner (mass testing is expensive to set up), though it
    could last a longer time than the former approach if a few packages
    linger. but maybe other rust packagers have other preferred workflows
    to tackle this kind of transition.

    In the meantime, i intend to upload a version of rust-sequoia-openpgp
    with a patched dependency that just depends on the older 0.21.7 version.

    --dkg



    -- System Information:
    Debian Release: trixie/sid
    APT prefers testing-debug
    APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
    Architecture: amd64 (x86_64)

    Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT)
    Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    wr0EARYKAG8FgmYgYuoJEHctFh41zUuBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ8Adfljbw7mjWxOpLrhZniqxstyXuUK7xrOlXVaw6HZ4 FiEEdLwExD2GCEvoZywGdy0WHjXNS4EAAA9sAP0UKu3amhnsyhdwwaOYc2Qjqet1 4GngLhwp/SLq81drfQD/UZh1GJBRB6O5LdeN8tuNsBLEQmyaAWOlF6/qsO4zpQ0=oHsB
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)