Closed atlaua closed 7 years ago
Turns out libgit2-sys-0.6.4 isn't compatible with libressl either; updating to 0.6.6 should do the trick.
The request stems from https://bugs.gentoo.org/show_bug.cgi?id=604044. Effectively what @atlaua is looking for is a 0.15.1 tarball from crates.io that has an updated Cargo.lock.
Gentoo's packaging requires us to follow what the Cargo.lock
has in it due to not allowing network access during the compilation phase. I've discussed this item in other tickets a whole bunch and have put it in practice. Our policy is https://wiki.gentoo.org/wiki/Project:Rust and I mentioned to @atlaua that this is likely unlikely to happen until the next release.
@atlaua My suggestion would be to open a PR where Cargo is built against libressl using Travis and/or the upstream depends of Cargo are tested that way.
I don't see how this is a gentoo-specific problem. Everyone building cargo will use the crate versions specified in Cargo.lock, right? (Unless they explicitly run "cargo update", of course). Hence, Cargo.lock should be updated if it references buggy crate versions.
And in the case you expect everyone building cargo to run "cargo update" beforehand: What's the point of shipping Cargo.lock in the git repo at all?
@cardoe Setting up a travis build to test libressl compatibility certainly sounds like a good idea to me. But I've absolutely zero experience with travis, so I probably won't be able to come up with an PR to realize this.
Sounds fine to me! Want to send a PR?
Sure, here you go: #3520 and #3521
By the way, care to enlighten me why Cargo.lock is included in the git repo at all? Isn't this just asking for trouble?
Thanks @cardoe, I wasn't aware this is officially recommended. (It still seems weird to me, anyway; surely every distro maintainer and security researcher would agree that hardwiring the exact versions of dependencies is a baaad idea.)
I believe we've since done this, so closing.
Could you please update the dependencies on the openssl and openssl-sys crates in Cargo.lock to at least 0.9.4? Previous versions of those crates aren't compatible with LibreSSL.