Bug#1130467: marked as done (nanopub - upcoming rand stack update.)

Sat, 21 Mar 2026 15:37:28 -0700 

Your message dated Sat, 21 Mar 2026 23:35:25 +0100
with message-id <[email protected]>
and subject line Re: Bug#1130467: nanopub - upcoming rand stack update.
has caused the Debian Bug report #1130467,
regarding nanopub - upcoming rand stack update.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1130467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130467
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: nanopub

We are in the process of preparing an update to the rust random
stack, due to the number of packages involved, we plan to handle
this in multiple phases.

In the first phase we plan to update getrandom, rand-core,
rand-chacha and rand, while introducing semver-suffix packages
for rand-core-0.6 rand-chacha-0.2 and rand-0.8. We do not
plan to introduce a semver-suffix package for getrandom.

In commit 372445a710784c8d7d3261b019f4de41f6b3e5b7 upstream
updated getrandom to 0.3, and stopped using rand. They also
made a number of other unrelated changes in the same commit,
I backported relavent parts of the commit to the Debian
package and further bumped getrandom to 0.4. A debdiff
is attatched.
diff -Nru nanopub-0.2.0+ds/debian/changelog nanopub-0.2.0+ds/debian/changelog
--- nanopub-0.2.0+ds/debian/changelog   2026-02-25 11:55:33.000000000 +0000
+++ nanopub-0.2.0+ds/debian/changelog   2026-03-11 08:36:24.000000000 +0000
@@ -1,3 +1,12 @@
+nanopub (0.2.0+ds-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patch based on upstream commit to update getrandom and eliminate
+    dependency on rand.
+  * Adjust debian build-dependencies.
+
+ -- Peter Michael Green <[email protected]>  Wed, 11 Mar 2026 08:36:24 +0000
+
 nanopub (0.2.0+ds-1) unstable; urgency=medium
 
   [ upstream ]
diff -Nru nanopub-0.2.0+ds/debian/control nanopub-0.2.0+ds/debian/control
--- nanopub-0.2.0+ds/debian/control     2026-02-25 11:55:33.000000000 +0000
+++ nanopub-0.2.0+ds/debian/control     2026-03-11 08:36:24.000000000 +0000
@@ -11,13 +11,12 @@
  librust-clap-dev,
  librust-clap-complete-dev,
  librust-futures-dev,
- librust-getrandom-dev,
+ librust-getrandom-0.4-dev,
  librust-openssl-probe-dev,
  librust-oxjsonld-dev,
  librust-oxrdf-dev,
  librust-oxrdfio-dev,
  librust-oxttl-dev,
- librust-rand-core-dev,
  librust-regex-dev,
  librust-reqwest-dev,
  librust-rsa-dev,
diff -Nru nanopub-0.2.0+ds/debian/patches/0001_getrandom_rand.patch 
nanopub-0.2.0+ds/debian/patches/0001_getrandom_rand.patch
--- nanopub-0.2.0+ds/debian/patches/0001_getrandom_rand.patch   1970-01-01 
00:00:00.000000000 +0000
+++ nanopub-0.2.0+ds/debian/patches/0001_getrandom_rand.patch   2026-03-11 
08:36:24.000000000 +0000
@@ -0,0 +1,100 @@
+Description: update getrandom to 0.4
+ This patch adopts portions of upstream commit 
372445a710784c8d7d3261b019f4de41f6b3e5b7
+ and futher bumps getrandom to version 0.4.
+Author: Peter Michael Green <[email protected]>
+Forwarded: not-needed
+Last-Update: 2026-03-11
+
+Index: nanopub-0.2.0+ds/lib/Cargo.toml
+===================================================================
+--- nanopub-0.2.0+ds.orig/lib/Cargo.toml
++++ nanopub-0.2.0+ds/lib/Cargo.toml
+@@ -27,12 +27,15 @@ regex = "1.10"
+ serde = { version = "1.0", features = ["derive"] }
+ chrono = "0.4.35"
+ reqwest = { version = "0.12", default-features = false }
+-rand = { version = "0.8", features = ["std", "std_rng"], default-features = 
false }
+-getrandom = { version = "0.2", features = ["js"] }
++getrandom = { version = "0.4", default-features = false }
++
++# TODO: use rsa 0.10 when out
++# rsa = { version = "0.10.0-rc.15", default-features = false, features = 
["encoding", "sha2" ] }
++# rand = { version = "0.10", features = ["std", "std_rng", "sys_rng"], 
default-features = false }
++# getrandom = { version = "0.4", features = ["wasm_js"] }
+ # openssl-probe = "0.1"
+ 
+ # reqwest = { version = "0.11", features = ["rustls-tls"], default-features = 
false }
+-# rand = { version = "0.8", features = ["std_rng"], default-features = false }
+ # log = { version = "0.0.2", features = ["std"] }
+ # futures = "0.3"
+ # sophia = { version = "0.8.0-alpha.3", git = 
"https://github.com/pchampin/sophia_rs.git";, rev = "ec13628", features = 
["jsonld"] }
+Index: nanopub-0.2.0+ds/lib/src/profile.rs
+===================================================================
+--- nanopub-0.2.0+ds.orig/lib/src/profile.rs
++++ nanopub-0.2.0+ds/lib/src/profile.rs
+@@ -1,6 +1,4 @@
+ use base64::{engine, Engine as _};
+-use rand::rngs::StdRng;
+-use rand::SeedableRng;
+ use rsa::pkcs1::{DecodeRsaPrivateKey, DecodeRsaPublicKey};
+ use rsa::pkcs8::{DecodePrivateKey, DecodePublicKey, EncodePrivateKey, 
EncodePublicKey};
+ use rsa::{RsaPrivateKey, RsaPublicKey};
+@@ -238,9 +236,36 @@ pub fn get_pubkey_str(pubkey: &RsaPublic
+ 
+ /// Generate private/public key pair
+ pub fn gen_keys() -> Result<(String, String), NpError> {
+-    let mut rng = StdRng::from_entropy();
+-    let bits = 2048;
+-    let priv_key = RsaPrivateKey::new(&mut rng, bits).expect("failed to 
generate a key");
++    // rsa 0.9 requires rand_core 0.6 traits; rand 0.9 uses rand_core 0.9, so 
we can't use rand directly
++    // Bridge: implement rand_core 0.6's RngCore+CryptoRng on a wrapper 
backed by getrandom::fill.
++    struct GetrandomRng;
++    impl rsa::rand_core::RngCore for GetrandomRng {
++        fn next_u32(&mut self) -> u32 {
++            let mut b = [0u8; 4];
++            getrandom::fill(&mut b).expect("getrandom failed");
++            u32::from_le_bytes(b)
++        }
++        fn next_u64(&mut self) -> u64 {
++            let mut b = [0u8; 8];
++            getrandom::fill(&mut b).expect("getrandom failed");
++            u64::from_le_bytes(b)
++        }
++        fn fill_bytes(&mut self, dest: &mut [u8]) {
++            getrandom::fill(dest).expect("getrandom failed");
++        }
++        fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), 
rsa::rand_core::Error> {
++            getrandom::fill(dest).expect("getrandom failed");
++            Ok(())
++        }
++    }
++    impl rsa::rand_core::CryptoRng for GetrandomRng {}
++    // TODO: waiting for rsa v0.10
++    // use rand::rngs::{StdRng, SysRng};
++    // use rand::SeedableRng;
++    // let mut rng = StdRng::try_from_rng(&mut SysRng).expect("failed to seed 
RNG");
++    // let priv_key = RsaPrivateKey::new(&mut rng, 2048).expect("failed to 
generate a key");
++
++    let priv_key = RsaPrivateKey::new(&mut GetrandomRng, 2048).expect("failed 
to generate a key");
+     let pub_key = RsaPublicKey::from(&priv_key);
+     Ok((
+         normalize_key(&priv_key.to_pkcs8_pem(rsa::pkcs8::LineEnding::LF)?)?,
+Index: nanopub-0.2.0+ds/lib/src/utils.rs
+===================================================================
+--- nanopub-0.2.0+ds.orig/lib/src/utils.rs
++++ nanopub-0.2.0+ds/lib/src/utils.rs
+@@ -1,4 +1,4 @@
+-use getrandom::getrandom;
++use getrandom::fill;
+ use oxjsonld::JsonLdParser;
+ use oxrdf::{
+     Dataset, GraphNameRef, NamedNode, NamedNodeRef, NamedOrBlankNodeRef, 
QuadRef, TermRef,
+@@ -85,7 +85,7 @@ pub fn get_np_server(random: bool) -> &'
+     }
+     // Generate a random number
+     let mut buf = [0u8; 4];
+-    getrandom(&mut buf).expect("Failed to generate random number");
++    fill(&mut buf).expect("Failed to generate random number");
+     let num = u32::from_ne_bytes(buf);
+     let index = num as usize % LIST_SERVERS.len();
+     LIST_SERVERS[index]
diff -Nru nanopub-0.2.0+ds/debian/patches/2003_no_wasm.patch 
nanopub-0.2.0+ds/debian/patches/2003_no_wasm.patch
--- nanopub-0.2.0+ds/debian/patches/2003_no_wasm.patch  2026-02-25 
11:55:21.000000000 +0000
+++ nanopub-0.2.0+ds/debian/patches/2003_no_wasm.patch  2026-03-11 
08:26:43.000000000 +0000
@@ -15,14 +15,3 @@
  ]
  
  [workspace.package]
---- a/lib/Cargo.toml
-+++ b/lib/Cargo.toml
-@@ -28,7 +28,7 @@
- chrono = "0.4.35"
- reqwest = { version = "0.12", default-features = false }
- rand = { version = "0.8", features = ["std", "std_rng"], default-features = 
false }
--getrandom = { version = "0.2", features = ["js"] }
-+getrandom = { version = "0.2" }
- # openssl-probe = "0.1"
- 
- # reqwest = { version = "0.11", features = ["rustls-tls"], default-features = 
false }
diff -Nru nanopub-0.2.0+ds/debian/patches/series 
nanopub-0.2.0+ds/debian/patches/series
--- nanopub-0.2.0+ds/debian/patches/series      2026-02-25 11:55:21.000000000 
+0000
+++ nanopub-0.2.0+ds/debian/patches/series      2026-03-11 08:36:24.000000000 
+0000
@@ -1,3 +1,4 @@
+0001_getrandom_rand.patch
 1001_wasm-pack.patch
 2001_privacy.patch
 2003_no_net.patch

--- End Message ---
--- Begin Message --- 
Version: 0.2.0+ds-1.1

Quoting Jonas Smedegaard (2026-03-21 18:30:12)
> [ reposted to bugreport ]
> 
> Quoting Peter Green (2026-03-21 17:28:03)
> > On 12/03/2026 22:09, Jonas Smedegaard wrote:
> > > This change depends on crate rsa getting aligned first,
> > 
> > In order to avoid dealing with around two hundred packages
> > at once we have decided to introduce semver-suffix packages
> > for rand-core, rand-chacha and rand.
> > 
> > This decision reduces the number of package we have to
> > deal with at the same time, but it means that when
> > packages use types/traits from rand-core in their APIs we
> > have to be careful about when and how we move them
> > from the old rand-core to the new.
> > 
> > So the first phase of the rand stack update is primarily
> > about updating getrandom. The new versions of rand,
> > rand-core and rand-chacha will become available and
> > can be used immediately for "simple" cases but more
> > complex cases, such as packages that expose rand-core
> > traits in thier APIs will be dealt with later, Ideally by
> > updating them to new upstream versions.
> > 
> > rsa is such a crate, it exposes rand-core traits in it's API,
> > and unfortunately while a new upstream release has
> > been in preperation for a while it seems to be taking
> > a long time to finalise.
> > 
> > The debdiff I attached for nanopub reflects what
> > upstream did, and works fine. If you would prefer
> > I can produce a smaller debdiff that only updates
> > getrandom and doesn't touch any rand/rand-core
> > related stuff.
> > 
> > I hope that all makes sense.
> 
> I have been unable to succesfully build the package with the patch
> applied.
> 
> Please demonstrate that the patch works, but uploading as an NMU.
> 
> I find it bad that you release to unstable knowing that this
> bugreport is still open.
> 
> Obviously, I hope that it is just me being stupid at applying your
> patch and this bug is easy-peasy for you for solve, but I still find
> the order of events here problematic.

Ahh, you solved it by pushing rust-rand-core 0.10 to unstable today.

That did not make sense to me, despite you mentioning rand-core among
the list of things involved.

Thanks.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature


--- End Message ---

Reply via email to