I reviewed rustc 1.57.0+dfsg1+llvm-0ubuntu2 as checked into jammy (but also peeked briefly at 1.58.1+dfsg1~ubuntu1-0ubuntu1~ppa5 in Simon's ppa). This shouldn't be considered a full audit but rather a quick gauge of maintainability, and this is a bit more streamlined review than normal due to the nature of Rust.
Rust is a programming language and runtime environment that is intended to be a modern systems language. In general, the Ubuntu Security team views more widespread usage of Rust as a positive thing; the primary drawback being, like Go before it, the choice to static link everything makes security updates more challenging for both the deliverer and users on limited bandwidth. The Built-Using: mechanism at least gives us a chance to determine what needs to be rebuilt when a rust library has a security vulnerability that needs addressing. In order to get Built-Using: applied to Rust applications in jammy, does this mean that every Rust application needs at a minimum a no-change rebuild before jammy is released? If so, is there a plan for that? I'd like to ask what is the support expectation and commitment from the Foundations team for the rust toolchain and the separated out LLVM: - Is the expectation that version bumps of rust, possibly along with version bumps of LLVM necessary, will be brought back to 22.04 LTS? - If so, does the source package need a versioned name, as done for other toolchains? - As more thing depend on rust either wholly or partially (e.g. the ongoing work on the Linux kernel), is there an expectation this will change for 24.04 LTS? For CVE history, there are 21 CVEs in the security team's tracker that affect Rust, 20 in the standard library. (There is also a very recent additional issue that affects the vendored copy of rust-crossbeam in the rustc source package.) Generally, upstream looks responsive to security issues. Given all the above, the Ubuntu Security provisionally acks rustc for main, assuming the questions above can be answered. ** Changed in: rustc (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957932 Title: [MIR] rustc, cargo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1957932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs