On 21.11.2022 11:44, Michael Tremer wrote: > Hello Matthias, Hi Michael, please see comments below... >> On 19 Nov 2022, at 15:56, Matthias Fischer wrote: >> >> Hi, >> >> ...I'd like to have a small problem... ;-) >> >> A few days ago, 'clamav 0.105.1' was updated, again: >> ... > > This is *really* bad that they bundle so many libraries and make it very difficult for us to keep track of what vulnerabilities might be in clamav although they are part of a third-party library. Yep. > We should try to remove all of them and always build against the system libraries. Puh. Sounds difficult. For now, I'll be happy if I get 'clamav' and 'rust' building at all. >> Unfortunately, building the third version of 'clamav 0.105.1' with >> current 'next' failed: >> .... >> ***SNIP*** >> ... >> error: package `tiff v0.8.0` cannot be built because it requires >> rustc 1.61.0 or newer, while the currently active rustc version is >> 1.60.0-nightly. >> ... >> ninja: build stopped: subcommand failed. >> make: *** [clamav:89: /usr/src/log/clamav-0.105.1] Error 1 >> ***SNAP*** > > Great code quality. This is however not the reason why the build stopped. This is only a warning. > >> Hm. Great. >> >> So I tried the current 'rust 1.65' version. >> >> This time, the building failed because of a rust component: >> >> ***SNIP*** >> ... >> Finished release [optimized] target(s) in 1.92s >> cd /usr/src/cipher-0.3.0 && mkdir -pv >> ... >> install -Z avoid-dev-deps -j8 --no-track --path .; fi >> mkdir: created directory '/usr/share/cargo/registry/cipher-0.3.0' >> warning: No (git) VCS found for `/usr/src/cipher-0.3.0` >> error: invalid inclusion of reserved file name Cargo.toml.orig in >> package source >> cp: missing file operand >> Try 'cp --help' for more information. >> make: *** [rust-cipher:78: /usr/src/log/cipher-0.3.0] Error 123 >> ***SNAP*** > > Rust is an absolute dependency hell. Ask Adolf and look at his latest patchset :) Yes. I saw that. Too much for me... >> Ok, even greater. >> >> Does anyone have an idea to solve this? I can't even find an updated >> package for , e.g., 'cipher-0.3.0tar.gz', although apparently I found at >> least an updated version (0.4.3) here: >> >> => https://docs.rs/cipher/latest/cipher/# >> >> But no download links... Hm! Where on earth did 'cipher-0.3.0.tar.gz' >> came from? > > There is a little helper script in tools/ which you can use to automatically download the source and even generate an LFS file, because they all look the same: > > https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=tools/download-rust-crate;h=f6a0fe035d30fdbddaa843ccac45251b0049088a;hb=HEAD I didn't saw this one. Thanks! > You can just run this as “tools/download-rust-crate cipher” and it should create everything you need. Just add it to make.sh and it should build. The funny part: I hadn't 'jq' on my Devel - never heard of it or needed it until now - but I got the build running now. After an 'apt install jq' everything seems to be ok. ;-) Devel is running, I looking forward how far I will get. I'm curious what 'suricata' thinks of 'rust 1.65'... >> What makes me a bit nervous though is the fact that if clamav really can >> only be made to work with a major rust update, the other rust components >> might have to be updated as well. And I found 103 rust*-lfs files... > > Yes. And every time we change one of those packages, we will have to ship *everything* that is related to Rust. Should I check the other rust-* packages (the remaining 102...) for possible updates? Best, Matthias > Such a great language. Stop using Rust, people. > > -Michael > >> >> Any thoughts and hints welcome! >> >> Best, >> Matthias >