Hello,
Just to add more to this chaos:
https://www.phoronix.com/news/Debian-Orphans-Bcachefs-Tools
It seems that it is literally becoming impossible to package Rust software. Firefox builds with exactly one version of the Rust compiler; packages have tons of very specific dependencies that need to be available in the exact version as defined in Cargo.lock. Obviously we struggle to package all of that as it is a lot of work, pretty much pointless and what not…
I am angry with this because this is not necessarily a problem of the language itself, but rather the eco system that was built around it.
Clamav 1.3.0 is technically EOL and won’t be patched for any security problems, so I suppose this problem won’t go away easily for us.
-Michael
On 30 Aug 2024, at 10:37, Matthias Fischer matthias.fischer@ipfire.org wrote:
On 29.08.2024 23:17, Adolf Belka wrote:
Hi Matthias,
Hi Adolf,
On 29/08/2024 19:18, Matthias Fischer wrote:
On 29.08.2024 15:24, Adolf Belka wrote:
Hi All,
Hi,
On 29/08/2024 15:04, Adolf Belka wrote:
Hi Michael & Matthias,
I just re-ran my build after the removal of the coreutils patch.
The build went past coreutils with no problem. However it has then failed at clamav (1.4.0) with the message
...
[some stuff shortened]
Looking through clamav, I can't find a way to easily tell clamav to use the rust-home version that is in IPFire. Hopefully Matthias with his knowledge of building clamav with rust can find a way.
Sorry Adolf, but I fear, I'm not *that* experienced... ;-)
I had a look through and found the rust source from 1.65.0 and I created a patch to change the home directory contents in the clamav source tarball to the version of home-0.5.3 instead of 0.5.5 which requires a min rust of 0.70.1 or similar.
First attempt...
That resulted in the next fail where the rust-which package was asking for a minimum home version of 0.5.5
Next failure...
So then I created another patch to modify the rust-which version requirement for home to 0.5.3
Oh my...
Then the build failed again with a message that home has to be > 0.5.3 and that is locked to version 0.5.9 but I can't find where that requirement is specified and I have the feeling this will become like going down the rabbit hole in Alice in Wonderland, so I am giving up at this point.
Could that be 'Cargo.lock' (line 465ff) or 'Cargo.toml' (line 12ff)?
But: WOW! You have my fullest sympathy and respect! But this was what I expected - and I still think its not worth it, the efforts and work are too extensive.
There were no CVE fixes in clamav-1.4.0 so I think we can just wait for rust to be updated.
FULL ACK!
Best Matthias
Regards,
Adolf.
I wouldn't want to temper with this and revert 'clamav', too.
Best Matthias
Regards,
Adolf.
Regards,
Adolf.