[Bug 1964098] Re: [FFe] Versioned packages for Rust toolchain
Seth Arnold
1964098 at bugs.launchpad.net
Tue Mar 15 01:26:04 UTC 2022
I can really appreciate the appeal of a "do nothing today" solution but
I'm worried about how much work, and unknown surprises, await us on our
*first* update in the future.
At some point, we'll have a security issue in a rust program that can
only be solved in coordination with a toolchain update, and we'll need
to learn what needs to be done, what parts need updating, etc, while
under duress.
Will our unfamiliarity with this process provide us with an
insurmountable stumbling block in the future, one that risks our users
or our reputation?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rustc in Ubuntu.
https://bugs.launchpad.net/bugs/1964098
Title:
[FFe] Versioned packages for Rust toolchain
Status in rustc package in Ubuntu:
Invalid
Bug description:
Hi,
In the rustc MIR at
https://bugs.launchpad.net/ubuntu/+source/rustc/+bug/1957932 it was proposed
that the Rust toolchain start using versioned source packages to allow multiple
versions in the archive at the same time. The issue was discussed in-person
during the recent sprint, and consensus was that this would be a good idea
going forward to minimize the risks associated with updating the toolchain in
stable releases, which as before will be necessary for Firefox support.
However, the question arises of what to do with the current src:rustc package
in Jammy. I see two paths forward:
1/ We could rename src:rustc into rustc-1.58, adding the proper suffixes to its
binaries, and introduce a new src:rustc-defaults package setting up symlinks to
the new rust*-1.58 binaries. This would be needed if we'd expect the whole Rust
ecosystem to move on to the newer toolchains as they are uploaded to the LTS.
Similar work would probably be needed for src:cargo.
I'm assuming this would require an FFe, as the potential for breakage in the archive
seems quite high.
2/ We could do *nothing*. We'd need to update the packaging of Firefox to deal
with versioned binaries for rustc and cargo when the time comes, and the rest
of the Rust ecosystem in the archive would remain tied to the 1.58.1 version of
rustc. The (other?) downside is the lack of consistency within the Jammy
release, where we'll have one version of rustc that's not explicitly versioned.
Writing this all down makes me lean more towards 2/ as the proper solution
here. However, I think this should be discussed in the open, and would benefit
from the Release Team's input.
TIA!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rustc/+bug/1964098/+subscriptions
More information about the foundations-bugs
mailing list