[Bug 1957932] Re: [MIR] rustc, cargo
Steve Beattie
1957932 at bugs.launchpad.net
Wed Mar 16 04:24:26 UTC 2022
On Tue, Mar 15, 2022 at 05:14:00PM -0000, Simon Chopin wrote:
> Before even starting to address the various points further, I must ask
> whether they're showstopper for the *rustc* MIR.
> I ask because some of the concerns raised here are irrelevant for rustc
> itself. For instance, the X-Cargo-Built-Using is not only not used by
> the rustc packaging at all, it would also not be used by Rust packages
> entering main since, under the proposed amended rules, those packages
> would first vendor all their dependencies.
Ah, I had missed this piece from the conversation on the github
MR. That places more emphasis on making sure Cargo.lock at a minimum
is included. Long term, it would be ideal to have these in package
metadata as X-Embedded-Copies or whatever, but ultimately that's
a feature that would be generally useful across the distro and in
Debian, not just in the Rust portions of it.
For X-Cargo-Built-Using vs Built-Using in dh-cargo, the Security team
can compensate one way or the other, we just need to know that, no,
Built-Using not going to land in jammy. With the intent to fully vendor
things in main, it's less important (from our team's perspective)
that this gets resolved one way or the other, but I note that we are
not the only ones with an opinion here.
One other consideration is that organizations and governments are
pushing really strongly for Software Bills of Materials (SBOMs) so
the more proactive we are about collecting needed information in a
structured, easily consumable way, the more straightforward it will
be to satisfy those requirements.
> We intend to implement all tooling changes that are required for a
> wider Rust ecosystem support in main, but this starts with having the
> compiler!
The reason I ask about ecosystem supportability here is because this
is likely the sole point where it's even in bounds for an MIR security
audit. The 'dh-cargo' package as a "build-time only" tool means there
is no requirement for it to go into main, and thus will likely never
receive an MIR. When it comes time to review cargo, the argument will
then be "Of what use is having rustc in main without cargo?" Individual
applications or libraries will have reviews focused on themselves.
The reality is we accepted Go-lang into main with a hypothetical plan
to support its ecosystem security-wise, but has been difficult to
turn into something real. My concern is that we're about to do the
same for Rust, despite our broad general approval of the language.
[There are also other constraints within Canonical that cause me
to be thinking about the supportability of the ecosystem as a whole
beyond what gets integrated into main, but you are correct that they
are out of bounds for an MIR.]
Anyhow. I have concerns about supporting this ecosystem, but the
provisional ACK is already there.
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rustc in Ubuntu.
https://bugs.launchpad.net/bugs/1957932
Title:
[MIR] rustc, cargo
Status in cargo package in Ubuntu:
Incomplete
Status in rustc package in Ubuntu:
In Progress
Bug description:
[Availability]
The packages rustc and cargo are already in Ubuntu universe.
The packages build for the architectures they are designed to work on,
and are also built on platform with lesser upstream support, see
https://doc.rust-lang.org/nightly/rustc/platform-support.html for details.
They currently build and works for architectures:
* amd64
* arm64
* armhf
* i386
* ppc64el
* riscv64
* s390x
Link to packages:
https://launchpad.net/ubuntu/+source/rustc
https://launchpad.net/ubuntu/+source/cargo
Upcoming version:
https://launchpad.net/~schopin/+archive/ubuntu/rustc-mir/+sourcepub/13264343/+listing-archive-extra
[Rationale]
The packages rustc and cargo are required in Ubuntu main as the Rust programming
language is gaining in popularity, and those two packages are, respectively, its
main compiler implementation and its dedicated build tool (and dependency manager).
There are a few packages in main already that have partially switched to Rust
as their implementation language, and so rustc and cargo will be needed to keep
us in sync with their upstream. See for instance
https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug/1942394 and
https://lists.debian.org/debian-python/2021/12/msg00000.html
(python-cryptography is in main)
Note that the huge majority of our users will not use these packages, their
purpose is to be a build-dependency for other packages. In particular, it is
not particularly expected at this stage that those of our users that are Rust
developers, which usually rely on their toolchain being managed in their $HOME
by the `rustup` tool.
[Security]
cargo and rustc had 19 recorded security issues in the past, mostly in the Rust standard library
(1 affecting cargo):
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Arust-
lang&cpe_product=cpe%3A%2F%3A%3Arust
All issues are usually handled promptly by the Rust team. However, the fixes
are rarely (if ever) backported to previous releases besides an occasional
1.X.1 point release for the latest stable.
There is an official Rust Security working group that curates a database of security
issues within the Rust ecosystem, including rustc/cargo:
https://github.com/rustsec/advisory-db
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
Note however that in typical use, building a project with cargo+rustc involves
executing code that has been downloaded from crates.io: cargo builds and executes
the `build.rs` file for any pre-compilation task (a bit like a Makefile), and any use
of a proc macro dependency basically implies running arbitrary code (the macro) within
the execution context of rustc.
[Quality assurance - function/usage]
The packages work well right after install, one can easily create a simple Rust project
and run it.
[Quality assurance - maintenance]
The packages do not deal with exotic hardware we cannot support
[Quality assurance - testing]
The packages both run a test suite on build time. However, the rustc test suite
does NOT make the build fail as of 1.57. The reason is that there are always a few tests that fail, and it was a tradeoff made due to limited resources. Please note that Debian has a strategy of only failing the build if there are *too many* errors. As the Foundations team commits more resources on this toolchain, we've reverted back to Debian's system and are planning to making the testing story more rigorous.
Neither package has any autopkgtests in the versions currently in the
release pocket. The upcoming rustc upload will have an autopkgtest
consisting of rebuilding itself. Debian's cargo package now has a
similar autopkgtest, that will be cherry-picked in the next cargo
upload.
[Quality assurance - packaging]
debian/watch is present and works
rustc yields quite a bit of lintian output, but they seem mostly harmless.
https://lintian.debian.org/sources/rustc
There are lintian overrides present, but those are usually justified in the override
files themselves.
cargo is a bit more tame on the warning fronts
https://lintian.debian.org/sources/cargo
It has an override file for the source package, for relatively minor
warnings.
These packages does not rely on obsolete or about to be demoted
packages.
The packages will not be installed by default
The packaging is fairly complex, especially in the case of rustc. The crux of
the complexity can be attributed to the boostrapping issue, as well as the need
to deal with vendored dependencies. There is extensive documentation within the
debian/ directories to help with the difficulties, and a lot of things have been
automated in scripts living in debian/scripts/*
Note that originally, the upstream tarball for rustc includes the sources for
cargo as well as its vendored dependencies, but the Debian Rust team chose to
split it out in its own package.
[UI standards]
I do not believe there's a need for translation for these applications given the
stated purpose for having them in main.
[Dependencies]
The packages have quite a few vendored dependencies. However, their non-vendored
dependencies are all in main, as well as the build-dependencies, assuming for the purpose
of this analysis that src:rustc is in main.
[Standards compliance]
The packages violate the Debian Policy on vendored
dependencies, with a copy of libgit2 (as a delta to Debian) in cargo.
The upcoming 1.58.1+dfsg1~ubuntu1 version of src:rustc unbundles the
LLVM copy that's currently in src:rustc.
[Maintenance/Owner]
Owning Team will be Foundations
Team is not yet, but will subscribe to the package before promotion
Both packages use static linking for the Rust dependencies, as well as any
vendored C dependency (i.e. libgit2).
rustc uses vendored rust code tracked in Cargo.lock as shipped, in the package,
refreshing that code works via `cargo update ...` + cargo vendor
cargo has a different process, documented in debian/README.source.
TODO: actually try to update a dependency in cargo using the debian/README.source,
which are not that clear.
[Background information]
The Package descriptions explains the package well
Upstream Name is developed by the Rust Compiler team and the Cargo team, under
the umbrella of the Rust Foundation
Link to upstream project: https://www.rust-lang.org/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1957932/+subscriptions
More information about the foundations-bugs
mailing list