Re: clamav 0.105.1-3 needs rust >1.61

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3881 bytes --]

On 21.11.2022 11:44, Michael Tremer wrote:
> Hello Matthias,

Hi Michael,

please see comments below...

>> On 19 Nov 2022, at 15:56, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> Hi,
>> 
>> ...I'd like to have a small problem... ;-)
>> 
>> A few days ago, 'clamav 0.105.1' was updated, again:
>> ...
> 
> This is *really* bad that they bundle so many libraries and make it very difficult for us to keep track of what vulnerabilities might be in clamav although they are part of a third-party library.

Yep.

> We should try to remove all of them and always build against the system libraries.

Puh. Sounds difficult. For now, I'll be happy if I get 'clamav' and
'rust' building at all.

>> Unfortunately, building the third version of 'clamav 0.105.1' with
>> current 'next' failed:
>> ....
>> ***SNIP***
>> ...
>>    error: package `tiff v0.8.0` cannot be built because it requires
>> rustc 1.61.0 or newer, while the currently active rustc version is
>> 1.60.0-nightly.
>> ...
>>    ninja: build stopped: subcommand failed.
>>    make: *** [clamav:89: /usr/src/log/clamav-0.105.1] Error 1
>> ***SNAP***
> 
> Great code quality. This is however not the reason why the build stopped. This is only a warning.
> 
>> Hm. Great.
>> 
>> So I tried the current 'rust 1.65' version.
>> 
>> This time, the building failed because of a rust component:
>> 
>> ***SNIP***
>> ...
>> Finished release [optimized] target(s) in 1.92s
>>    cd /usr/src/cipher-0.3.0 &&         mkdir -pv
>> ...
>> install -Z avoid-dev-deps -j8 --no-track --path .; fi
>>    mkdir: created directory '/usr/share/cargo/registry/cipher-0.3.0'
>>    warning: No (git) VCS found for `/usr/src/cipher-0.3.0`
>>    error: invalid inclusion of reserved file name Cargo.toml.orig in
>> package source
>>    cp: missing file operand
>>    Try 'cp --help' for more information.
>>    make: *** [rust-cipher:78: /usr/src/log/cipher-0.3.0] Error 123
>> ***SNAP***
> 
> Rust is an absolute dependency hell. Ask Adolf and look at his latest patchset :)

Yes. I saw that. Too much for me...

>> Ok, even greater.
>> 
>> Does anyone have an idea to solve this? I can't even find an updated
>> package for , e.g., 'cipher-0.3.0tar.gz', although apparently I found at
>> least an updated version (0.4.3) here:
>> 
>> => https://docs.rs/cipher/latest/cipher/#
>> 
>> But no download links... Hm! Where on earth did 'cipher-0.3.0.tar.gz'
>> came from?
> 
> There is a little helper script in tools/ which you can use to automatically download the source and even generate an LFS file, because they all look the same:
> 
> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=tools/download-rust-crate;h=f6a0fe035d30fdbddaa843ccac45251b0049088a;hb=HEAD

I didn't saw this one. Thanks!

> You can just run this as “tools/download-rust-crate cipher” and it should create everything you need. Just add it to make.sh and it should build.

The funny part: I hadn't 'jq' on my Devel - never heard of it or needed
it until now - but I got the build running now. After an 'apt install
jq' everything seems to be ok. ;-)

Devel is running, I looking forward how far I will get. I'm curious what
'suricata' thinks of 'rust 1.65'...

>> What makes me a bit nervous though is the fact that if clamav really can
>> only be made to work with a major rust update, the other rust components
>> might have to be updated as well. And I found 103 rust*-lfs files...
> 
> Yes. And every time we change one of those packages, we will have to ship *everything* that is related to Rust.

Should I check the other rust-* packages (the remaining 102...) for
possible updates?

Best,
Matthias

> Such a great language. Stop using Rust, people.
> 
> -Michael
> 
>> 
>> Any thoughts and hints welcome!
>> 
>> Best,
>> Matthias
>