From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: clamav 0.105.1-3 needs rust >1.61 Date: Mon, 21 Nov 2022 20:05:32 +0100 Message-ID: <493b25ac-47b1-a7a4-6896-bcb3f16d7adb@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4180592872566153173==" List-Id: --===============4180592872566153173== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 21.11.2022 11:44, Michael Tremer wrote: > Hello Matthias, Hi Michael, updated cipher to '0.4.3'. Clean build, result: ***SNIP*** =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Installing cipher-0.4.3 ... Install started; saving file list to /usr/src/lsalr ... cd /usr/src/cipher-0.4.3 && mkdir -p /usr/src/cipher-0.4.3/.cargo && echo "${CARGO_CONFIG}" > /usr/src/cipher-0.4.3/.cargo/config && rm -f Cargo.lock cd /usr/src/cipher-0.4.3 && CARGOPATH=3D/usr/src/cipher-0.4.3/.cargo RUSTC_BOOTSTRAP=3D1 cargo --offline build --release -Z avoid-dev-deps -j8 error: no matching package named `crypto-common` found location searched: registry `crates-io` required by package `cipher v0.4.3 (/usr/src/cipher-0.4.3)` As a reminder, you're using offline mode (--offline) which can sometimes cause surprising resolution failures, if this error is too confusing you may wish to retry without the offline flag. make: *** [rust-cipher:77: /usr/src/log/cipher-0.4.3] Error 101 ***SNAP*** Hm. Just guessing =3D> updated 'lfs/rust-crypto-common' from '0.1.1' to '0.1.6' through the helper script. =3D> Identical error: "no matching package found". Hmmm! To follow the "reminder" would mean to delete the '--offline' option in line 209 in 'lfs'/config', but that would be only further guessing. And this would affect all other files. Doesn't feel good. I'm not familiar with this rust thing - sorry: any ideas about the best way to proceed? >> On 19 Nov 2022, at 15:56, Matthias Fischer = wrote: >>=20 >> Hi, >>=20 >> ...I'd like to have a small problem... ;-) >>=20 >> A few days ago, 'clamav 0.105.1' was updated, again: >>=20 >> =3D> >> https://blog.clamav.net/2022/11/second-clamav-100-release-candidate-and.ht= ml >>=20 >> "...[it] was intended to also include bug fixes for the jpeg and tiff >> Rust-based libraries that are bundled with the source code tarball. >> Unfortunately, those fixes were not all release-ready in time for the >> 0.105.1-2 packages." >>=20 >> So far, so [oh, forget it!]. >=20 > This is *really* bad that they bundle so many libraries and make it very di= fficult for us to keep track of what vulnerabilities might be in clamav altho= ugh they are part of a third-party library. >=20 > We should try to remove all of them and always build against the system lib= raries. >=20 >> Unfortunately, building the third version of 'clamav 0.105.1' with >> current 'next' failed: >>=20 >> ***SNIP*** >> ... >> error: package `tiff v0.8.0` cannot be built because it requires >> rustc 1.61.0 or newer, while the currently active rustc version is >> 1.60.0-nightly. >>=20 >> [193/379] Building C object >> libclamav/CMakeFiles/lzma_sdk.dir/7z/7zIn.c.o >> [194/379] Building C object >> libclamav/CMakeFiles/bytecode_runtime.dir/bytecode_nojit.c.o >> [195/379] Building C object >> libclamav/CMakeFiles/yara.dir/yara_grammar.c.o >> [196/379] Building C object libclamav/CMakeFiles/yara.dir/yara_lexer.c.o >> yara_lexer.c:2571:24: warning: 'yy_fatal_error' defined but not used >> [-Wunused-function] >> yara_lexer.c: In function 'yara_yylex': >> yara_lexer.l:263:16: warning: '%s' directive output may be truncated >> writing up to 1023 bytes into a region of size 999 [-Wformat-truncation=3D] >> In file included from /usr/include/stdio.h:906, >> from yara_lexer.c:32: >> /usr/include/bits/stdio2.h:54:10: note: '__builtin___snprintf_chk' >> output between 26 and 1049 bytes into a destination of size 1024 >> 54 | return __builtin___snprintf_chk (__s, __n, >> __USE_FORTIFY_LEVEL - 1, >> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> 55 | __glibc_objsize (__s), __fmt, >> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> 56 | __va_arg_pack ()); >> | ~~~~~~~~~~~~~~~~~ >> ninja: build stopped: subcommand failed. >> make: *** [clamav:89: /usr/src/log/clamav-0.105.1] Error 1 >> ***SNAP*** >=20 > Great code quality. This is however not the reason why the build stopped. T= his is only a warning. >=20 >> Hm. Great. >>=20 >> So I tried the current 'rust 1.65' version. >>=20 >> This time, the building failed because of a rust component: >>=20 >> ***SNIP*** >> ... >> Finished release [optimized] target(s) in 1.92s >> cd /usr/src/cipher-0.3.0 && mkdir -pv >> "/usr/share/cargo/registry/cipher-0.3.0" && if >> CARGOPATH=3D/usr/src/cipher-0.3.0/.cargo RUSTC_BOOTSTRAP=3D1 cargo --offli= ne >> metadata --format-version 1 --no-deps | jq -e >> ".packages[].targets[].kind | any(. =3D=3D \"lib\")" | grep -q "true" || >> CARGOPATH=3D/usr/src/cipher-0.3.0/.cargo RUSTC_BOOTSTRAP=3D1 cargo --offli= ne >> metadata --format-version 1 --no-deps | jq -e >> ".packages[].targets[].kind | any(. =3D=3D \"rlib\")" | grep -q "true" || >> CARGOPATH=3D/usr/src/cipher-0.3.0/.cargo RUSTC_BOOTSTRAP=3D1 cargo --offli= ne >> metadata --format-version 1 --no-deps | jq -e >> ".packages[].targets[].kind | any(. =3D=3D \"proc-macro\")" | grep -q >> "true"; then awk >> '/^\\\[((.+\\\.)?((dev|build)-)?dependencies|features)/{f=3D1;next} >> /^\\\[/{f=3D0}; !f' < Cargo.toml > Cargo.toml.deps && >> CARGOPATH=3D/usr/src/cipher-0.3.0/.cargo RUSTC_BOOTSTRAP=3D1 cargo --offli= ne >> package -l | grep -wEv "Cargo.(lock|toml.orig)" | xargs -d "\n" cp -v >> --parents -a -t /usr/share/cargo/registry/cipher-0.3.0 && install -v -m >> 644 Cargo.toml.deps /usr/share/cargo/registry/cipher-0.3.0/Cargo.toml && >> echo "{\"files\":{},\"package\":\"\"}" > >> /usr/share/cargo/registry/cipher-0.3.0/.cargo-checksum.json; fi && if >> true && CARGOPATH=3D/usr/src/cipher-0.3.0/.cargo RUSTC_BOOTSTRAP=3D1 cargo >> --offline metadata --format-version 1 --no-deps | jq -e >> ".packages[].targets[].kind | any(. =3D=3D \"bin\")" | grep -q "true"; then >> CARGOPATH=3D/usr/src/cipher-0.3.0/.cargo RUSTC_BOOTSTRAP=3D1 cargo --offli= ne >> install -Z avoid-dev-deps -j8 --no-track --path .; fi >> mkdir: created directory '/usr/share/cargo/registry/cipher-0.3.0' >> warning: No (git) VCS found for `/usr/src/cipher-0.3.0` >> error: invalid inclusion of reserved file name Cargo.toml.orig in >> package source >> cp: missing file operand >> Try 'cp --help' for more information. >> make: *** [rust-cipher:78: /usr/src/log/cipher-0.3.0] Error 123 >> ***SNAP*** >=20 > Rust is an absolute dependency hell. Ask Adolf and look at his latest patch= set :) >=20 >> Ok, even greater. >>=20 >> Does anyone have an idea to solve this? I can't even find an updated >> package for , e.g., 'cipher-0.3.0tar.gz', although apparently I found at >> least an updated version (0.4.3) here: >>=20 >> =3D> https://docs.rs/cipher/latest/cipher/# >>=20 >> But no download links... Hm! Where on earth did 'cipher-0.3.0.tar.gz' >> came from? >=20 > There is a little helper script in tools/ which you can use to automaticall= y download the source and even generate an LFS file, because they all look th= e same: >=20 > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dtools/download-rust= -crate;h=3Df6a0fe035d30fdbddaa843ccac45251b0049088a;hb=3DHEAD >=20 > You can just run this as =E2=80=9Ctools/download-rust-crate cipher=E2=80=9D= and it should create everything you need. Just add it to make.sh and it shou= ld build. >=20 >> What makes me a bit nervous though is the fact that if clamav really can >> only be made to work with a major rust update, the other rust components >> might have to be updated as well. And I found 103 rust*-lfs files... >=20 > Yes. And every time we change one of those packages, we will have to ship *= everything* that is related to Rust. >=20 > Such a great language. Stop using Rust, people. >=20 > -Michael >=20 >>=20 >> Any thoughts and hints welcome! >>=20 >> Best, >> Matthias >=20 --===============4180592872566153173==--