** Summary changed: - FTBFS on Resolute for i386 + [MIR] cargo needs cargo-auditable as runtime dependency
** Description changed: - rust-cargo-auditable fails to build on i386 due to missing dependencies: + [Availability] + The package rust-cargo-auditable is already in Ubuntu universe. + It currently builds and works for the following architectures: + - amd64 + - amd64v3 + - arm64 + - armhf + - ppc64el + - riscv64 + - s390x + Link to package: https://launchpad.net/ubuntu/+source/rust-cargo-auditable - Missing build dependencies: librust-auditable-serde-0.9+default-dev, - librust-cargo-metadata-0.23+default-dev, librust-miniz-oxide+default-dev - (<< 0.9-~~), librust-miniz-oxide+default-dev (>= 0.7-~~), librust- - object+write-dev (<< 0.38-~~), librust-object+write-dev (>= 0.36-~~), - librust-pico-args-0.5+default-dev, librust-pico-args-0.5+eq-separator- - dev, librust-pico-args-0.5+short-space-opt-dev, librust-serde-1+default- - dev (>= 1.0.147-~~), librust-serde-json-1+default-dev (>= 1.0.57-~~), - librust-wasm-gen-0.1+default-dev (>= 0.1.4-~~) + Currently, the package won't build on i386 due to missing dependencies. + However, I have an MP[1] open which vendors the dependencies. + I have tested the vendored-dependency build in a PPA and it builds on + all architectures, including i386: + https://launchpad.net/~maxgmr/+archive/ubuntu/rust-cargo-auditable-lp2142252 + Note that this dependency vendoring is required for main inclusion + regardless. - Since it is now a dependency of cargo-1.93, in order for cargo-1.93 to - be installable on i386 rust-cargo-auditable must have an i386 build. The - likely solution here is to vendor the rust-cargo-auditable dependencies. + [Rationale] + - The package rust-cargo-auditable is required in Ubuntu main as a + runtime dependency of cargo, which is provided by rust-defaults[2], a + package already in main. + - The package rust-cargo-auditable is a new runtime dependency of + package cargo (provided by rust-defaults) that we already support + - It will allow Rust packagers to embed the dependencies of a + distributed Rust binary directly in the binary itself, allowing + better auditing against supply-chain attacks + - This is the first time package will be in main + - The binary package cargo-auditable needs to be in main to make cargo + installable + - All other binary packages built by rust-cargo-auditable should remain + in universe + + - The package rust-cargo-auditable is required in Ubuntu main no later + than the 26.04 Beta Freeze (March 23, 2026). This is because after + rust-cargo-auditable is in and rust-defaults can build, we still need + time to fix any rust-defaults issues before the Final Freeze. + + [Security] + - No CVEs/security issues in the past + - 0 Debian security issues: https://security-tracker.debian.org/tracker/source-package/rust-cargo-auditable + - 0 Ubuntu CVEs: https://ubuntu.com/security/cves?package=rust-cargo-auditable + - 0 issues in Rust-specific database: https://rustsec.org/search.html?q=cargo-auditable + + - no `suid` or `sgid` binaries + - no executables in `/sbin` and `/usr/sbin` + - Package does not install services, timers or recurring jobs + - Security has been kept in mind and common isolation/risk-mitigation + patterns are in place utilizing the following features: + Package has minimal permissions; it is simply a cargo wrapper that + encodes extra data into Rust binaries. + - Package does not open privileged ports (ports < 1024). + - Package does not expose any external endpoints + - Package does not contain extensions to security-sensitive software + + [Quality assurance - function/usage] + - The package works well right after install + + [Quality assurance - maintenance] + - The package is maintained well in Debian/Ubuntu/Upstream and does + not have too many, long-term & critical, open bugs + - 1 in Ubuntu (this one): https://bugs.launchpad.net/ubuntu/+source/rust-cargo-auditable/+bug + - 0 in Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-cargo-auditable + - Upstream: https://github.com/rust-secure-code/cargo-auditable/issues?q=is%3Aissue%20state%3Aopen%20label%3Abug + - The package has important open bugs: + - Currently, cargo resolver v2[3] is unsupported[4]. The only + consequence of this is that some binaries may embed more + dependencies than they actually have. Luckily, this means that + any supply-chain vulnerabilities won't be missed due to this bug. + - The package does not deal with exotic hardware we cannot support + + [Quality assurance - testing] + - The package runs a test suite on build time, if it fails + it makes the build fail + - Build log: https://launchpadlibrarian.net/849536855/buildlog_ubuntu-resolute-amd64.rust-cargo-auditable_0.7.2-1ubuntu1~ppa4_BUILDING.txt.gz + + - The package runs an autopkgtest, and is currently passing on + all supported architectures: + - amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-resolute-maxgmr-rust-cargo-auditable-lp2142252/resolute/amd64/r/rust-cargo-auditable/20260227_222739_8edc5@/log.gz + - arm64: https://autopkgtest.ubuntu.com/results/autopkgtest-resolute-maxgmr-rust-cargo-auditable-lp2142252/resolute/arm64/r/rust-cargo-auditable/20260227_220018_63d20@/log.gz + - armhf: https://autopkgtest.ubuntu.com/results/autopkgtest-resolute-maxgmr-rust-cargo-auditable-lp2142252/resolute/armhf/r/rust-cargo-auditable/20260227_215623_0b9a7@/log.gz + - i386: https://autopkgtest.ubuntu.com/results/autopkgtest-resolute-maxgmr-rust-cargo-auditable-lp2142252/resolute/i386/r/rust-cargo-auditable/20260227_222747_76319@/log.gz + - ppc64el: https://autopkgtest.ubuntu.com/results/autopkgtest-resolute-maxgmr-rust-cargo-auditable-lp2142252/resolute/ppc64el/r/rust-cargo-auditable/20260227_220104_39573@/log.gz + - s390x: https://autopkgtest.ubuntu.com/results/autopkgtest-resolute-maxgmr-rust-cargo-auditable-lp2142252/resolute/s390x/r/rust-cargo-auditable/20260227_220258_a4a40@/log.gz + + - The package does have not failing autopkgtests right now + + [Quality assurance - packaging] + - A mechanism to detect and fetch new upstream versions is present and + works (d/watch) + + - debian/control defines a correct Maintainer field + + - This package does not yield massive lintian Warnings, Errors + - Build log: https://launchpad.net/~maxgmr/+archive/ubuntu/rust-cargo-auditable-lp2142252/+build/32325062/+files/buildlog_ubuntu-resolute-amd64.rust-cargo-auditable_0.7.2-1ubuntu1~ppa4_BUILDING.txt.gz + - lintian --pedantic: + W: rust-cargo-auditable source: unknown-field Vendored-Sources-Rust + P: rust-cargo-auditable source: maintainer-manual-page [debian/cargo-auditable.1] + - The only present Lintian overrides are file-without-copyright-information in + d/source/lintian-overrides. These are necessary because Windows-only + crates get replaced with empty stubs during the vendoring process; + they aren't actually real vendored crates. Therefore, there is no + copyright associated with them. + + - This package does not rely on obsolete or about to be demoted packages. + - This package has no python2 or GTK2 dependencies + + - The package will be installed by default, but does not ask debconf + questions higher than medium + + - Packaging is complex, but that is OK because all of the unconventional + packaging aspects (all related to the vendored dependencies) are + documented in `debian/README.source`. Here, the process of getting the + source, updating the vendored dependencies, and updating the vendored + copyright stanzas is described in detail. + + [UI standards] + - Application is not end-user facing (does not need translation) + + [Dependencies] + - Used check-mir from ubuntu-dev-tools to validate + all dependencies or recommends are in main. + + [Standards compliance] + - This package correctly follows FHS and Debian Policy + + [Maintenance/Owner] + - The owning team will be foundations-bugs and I have their + acknowledgment for that commitment + - The future owning team is already subscribed to the package + + - The team foundations-bugs is aware of the implications by a static + build and commits to test no-change-rebuilds and to fix any issues + found for the lifetime of the release (including ESM) + + - The team foundations-bugs is aware of the implications of vendored + code and (as alerted by the security team) commits to provide updates + and backports to the security team for any affected vendored code for + the lifetime of the release (including ESM). + + - This package uses vendored rust code tracked in Cargo.lock as shipped, + in the package (at /usr/share/doc/<pkgname>/Cargo.lock - might be + compressed), refreshing that code is outlined in debian/README.source + + - This package uses vendored code, the debian/copyright has been + updated to cover the vendored content + + - This package is rust based and vendors all non language-runtime + dependencies + + - The package has been built within the last 3 months in PPA + - Build link on launchpad: https://launchpad.net/~maxgmr/+archive/ubuntu/rust-cargo-auditable-lp2142252/+packages + + - This change will not impact other teams + + [Background information] + - The Package description explains the package well + - Upstream Name is cargo-auditable + - Link to upstream project: https://github.com/rust-secure-code/cargo-auditable + + [1]: https://code.launchpad.net/~maxgmr/ubuntu/+source/rust-cargo-auditable/+git/rust-cargo-auditable/+merge/500869 + [2]: https://launchpad.net/ubuntu/+source/rust-defaults + [3]: https://doc.rust-lang.org/cargo/reference/resolver.html#feature-resolver-version-2 + [4]: https://github.com/rust-secure-code/cargo-auditable/issues/38 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142252 Title: [MIR] cargo needs cargo-auditable as runtime dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rust-cargo-auditable/+bug/2142252/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
