atlaua
commented
7 years ago Turns out libgit2-sys-0.6.4 isn't compatible with libressl either; updating to 0.6.6 should do the trick.
Closed atlaua closed 7 years ago
atlaua
commented
7 years ago Turns out libgit2-sys-0.6.4 isn't compatible with libressl either; updating to 0.6.6 should do the trick.
cardoe
commented
7 years ago The request stems from https://bugs.gentoo.org/show_bug.cgi?id=604044. Effectively what @atlaua is looking for is a 0.15.1 tarball from crates.io that has an updated Cargo.lock.
cardoe
commented
7 years ago Gentoo's packaging requires us to follow what the Cargo.lock has in it due to not allowing network access during the compilation phase. I've discussed this item in other tickets a whole bunch and have put it in practice. Our policy is https://wiki.gentoo.org/wiki/Project:Rust and I mentioned to @atlaua that this is likely unlikely to happen until the next release.
@atlaua My suggestion would be to open a PR where Cargo is built against libressl using Travis and/or the upstream depends of Cargo are tested that way.
atlaua
commented
7 years ago I don't see how this is a gentoo-specific problem. Everyone building cargo will use the crate versions specified in Cargo.lock, right? (Unless they explicitly run "cargo update", of course). Hence, Cargo.lock should be updated if it references buggy crate versions.
And in the case you expect everyone building cargo to run "cargo update" beforehand: What's the point of shipping Cargo.lock in the git repo at all?
@cardoe Setting up a travis build to test libressl compatibility certainly sounds like a good idea to me. But I've absolutely zero experience with travis, so I probably won't be able to come up with an PR to realize this.
alexcrichton
commented
7 years ago Sounds fine to me! Want to send a PR?
atlaua
commented
7 years ago Sure, here you go: #3520 and #3521
atlaua
commented
7 years ago By the way, care to enlighten me why Cargo.lock is included in the git repo at all? Isn't this just asking for trouble?
cardoe
commented
7 years ago atlaua
commented
7 years ago Thanks @cardoe, I wasn't aware this is officially recommended. (It still seems weird to me, anyway; surely every distro maintainer and security researcher would agree that hardwiring the exact versions of dependencies is a baaad idea.)
alexcrichton
commented
7 years ago I believe we've since done this, so closing.
Could you please update the dependencies on the openssl and openssl-sys crates in Cargo.lock to at least 0.9.4? Previous versions of those crates aren't compatible with LibreSSL.