I started looking into this bug and trying to gauge it's impact.
In particular what if-any applications in Debian actually use the broken code.

First I tried to use codesearch to search for insert_many but I got way too many false-positives. So I tried a different approach. I did however notice some embedded
code copies of smallvec during this search, more on that later.

I used zcat /srv/ftp.debian.org/mirror/dists/sid/main/binary-amd64/Packages.gz | grep-dctrl rust-smallvec -sPackage to identify what applications use (directly or indirectly) rust-smallvec, I came up with the following list.

cargo-outdated (build-depends uninstallable, not in testing)
spotify-tui (not in testing)

I installed the build-dependencies for all of these packages except cargo-outdated and did "grep -r insert_many /usr/share/cargo/registry/" the only calls were in the
tests and benchmarks of smallvec itself.

I then downloaded and extracted the source packages for the apps themselves into a directory and issued "grep -r insert_many *" in that directory, there
were no matches

I tried to repeat the process for buster, unfortunately it seems the version
of the tooling used to build many of the rust packages in buster did not
add built-using: or x-cargo-built-using:, It's possible there are also some rust applications in bullseye that have not been touched for a long time and hence suffer from the same isue. Anyway one application was found in buster that
had an X-Cargo-Built-Using for rust-smallvec.

I found the following packages that appeard to have embedded copies of
smallvec, it's very possible there were others as I did not do an exhaustive
I repeated the build-dependency and source package contents tests described above in buster, using the list of packages from both stable and unstable
(where the package existed in stable), again I found now results.

Going back to the original codesearch I noticed the following packages
in the list, that seemed (based mainly on my memory of what uses rust)
like they might be rust-related and investigated them further. I did not
investigate every package in the list for rust dependencies.


firefox, firefox-esr, librsvg and thunderbird seem to have embedded
copies of rust-smallvec, but don't appear to call insert_many

rust-lexical-core seems to be completely unrelated to arrayvec
(it does not build-depend directly or indirectly on it and it
does not appear to have an embedded copy of it)

This search has not been perfect and I may try and assemble tooling to
do a better one, but my tentative conclusion is that the insert_many
operation in rust-arrayvec does not seem to actually be used.

Reply via email to