Ubuntu
dh-cargo package

Bug #1957932
Comment #9

Comment 9 for bug 1957932

Revision history for this message

Steve Beattie (sbeattie) wrote on 2022-02-24: Re: [MIR] rustc, cargo

I reviewed rustc 1.57.0+dfsg1+llvm-0ubuntu2 as checked into jammy
(but also peeked briefly at 1.58.1+dfsg1~ubuntu1-0ubuntu1~ppa5
in Simon's ppa). This shouldn't be considered a full audit but
rather a quick gauge of maintainability, and this is a bit more
streamlined review than normal due to the nature of Rust.

Rust is a programming language and runtime environment that is
intended to be a modern systems language. In general, the Ubuntu
Security team views more widespread usage of Rust as a positive
thing; the primary drawback being, like Go before it, the choice
to static link everything makes security updates more challenging
for both the deliverer and users on limited bandwidth.

The Built-Using: mechanism at least gives us a chance to determine
what needs to be rebuilt when a rust library has a security
vulnerability that needs addressing. In order to get Built-Using:
applied to Rust applications in jammy, does this mean that every
Rust application needs at a minimum a no-change rebuild before
jammy is released? If so, is there a plan for that?

I'd like to ask what is the support expectation and commitment
from the Foundations team for the rust toolchain and the separated
out LLVM:

- Is the expectation that version bumps of rust, possibly along
with version bumps of LLVM necessary, will be brought back to
22.04 LTS?

- If so, does the source package need a versioned name, as done
for other toolchains?

- As more thing depend on rust either wholly or partially
(e.g. the ongoing work on the Linux kernel), is there an
expectation this will change for 24.04 LTS?

For CVE history, there are 21 CVEs in the security team's tracker
that affect Rust, 20 in the standard library. (There is also a
very recent additional issue that affects the vendored copy of
rust-crossbeam in the rustc source package.) Generally, upstream
looks responsive to security issues.

Given all the above, the Ubuntu Security provisionally acks rustc
for main, assuming the questions above can be answered.

I'd like to ask what is the support expectation and commitment
from the Foundations team for the rust toolchain and the separated
out LLVM:

- Is the expectation that version bumps of rust, possibly along
   with version bumps of LLVM necessary, will be brought back to
   22.04 LTS?

- If so, does the source package need a versioned name, as done
   for other toolchains?

- As more thing depend on rust either wholly or partially
   (e.g. the ongoing work on the Linux kernel), is there an
   expectation this will change for 24.04 LTS?

Given all the above, the Ubuntu Security provisionally acks rustc
for main, assuming the questions above can be answered.

Ubuntudh-cargo package

Comment 9 for bug 1957932

Ubuntu
dh-cargo package