Source: rust-base64 Version: 0.21.7-1 Severity: wishlist X-Debbugs-Cc: Daniel Kahn Gillmor <d...@fifthhorseman.net>
rust-base64 has a new upstream version 0.22.0 available, with the following subtle changes to the API since 0.21.7: - `DecodeSliceError::OutputSliceTooSmall` is now conservative rather than precise. That is, the error will only occur if the decoded output _cannot_ fit, meaning that `Engine::decode_slice` can now be used with exactly-sized output slices. As part of this, `Engine::internal_decode` now returns `DecodeSliceError` instead of `DecodeError`, but that is not expected to affect any external callers. - `DecodeError::InvalidLength` now refers specifically to the _number of valid symbols_ being invalid (i.e. `len % 4 == 1`), rather than just the number of input bytes. This avoids confusing scenarios when based on interpretation you could make a case for either `InvalidLength` or `InvalidByte` being appropriate. In debian, we have a bunch of different packages that depend on 0.21: Versions of rdeps of rust-base64 in unstable, that also exist in testing: librust-alacritty-terminal-dev 0.19.1-7 depends on librust-base64-0.21+default-dev, librust-bson-dev 2.10.0-1 depends on librust-base64-0.21+default-dev, librust-cargo-dev 0.70.1-2 depends on librust-base64-0.21+default-dev, librust-charset-dev 0.1.3-1+b1 depends on librust-base64-0.21+default-dev, librust-cookie-dev 0.18.0-1 depends on librust-base64-0.21+default-dev (>= 0.21.4-~~), librust-embed-doc-image-dev 0.1.4-1+b1 depends on librust-base64-0.21+default-dev, librust-fernet-dev 0.2.0+really0.1.4-3 depends on librust-base64-0.21+default-dev, librust-gix-transport-dev 0.42.0-1 depends on librust-base64-0.21+default-dev, librust-headers-dev 0.3.9-1+b1 depends on librust-base64-0.21+default-dev, librust-http-auth-dev 0.1.8-1+b1 depends on librust-base64-0.21+default-dev, librust-jsonwebtoken-dev 8.3.0-4 depends on librust-base64-0.21+default-dev, librust-oauth2-dev 4.4.1-2 depends on librust-base64-0.21+default-dev, librust-openssh-keys-dev 0.6.2-1+b1 depends on librust-base64-0.21+default-dev, librust-parsec-service-dev 1.3.0-5+b1 depends on librust-base64-0.21+default-dev, librust-parsec-tool-dev 0.7.0-4 depends on librust-base64-0.21+default-dev, librust-pem-dev 3.0.3-2 depends on librust-base64-0.21+alloc-dev, librust-base64-0.21+std-dev, librust-picky-asn1-x509-dev 0.10.0-1+b1 depends on librust-base64-0.21+default-dev, librust-plist-dev 1.6.1-1 depends on librust-base64-0.21+default-dev, librust-postgres-protocol-dev 0.6.6-2 depends on librust-base64-0.21+default-dev, librust-reqwest-dev 0.11.24-3 depends on librust-base64-0.21+default-dev, librust-rfc2047-decoder-dev 0.2.2-1+b1 depends on librust-base64-0.21+default-dev, librust-ripasso-dev 0.6.5-2 depends on librust-base64-0.21+default-dev (>= 0.21.2-~~), librust-ron-dev 0.7.1-3 depends on librust-base64-0.21+default-dev, librust-ruma-common-dev 0.10.5-4 depends on librust-base64-0.21+default-dev, librust-rust-argon2-dev 1.0.0-3 depends on librust-base64-0.21+default-dev, librust-rustls-pemfile-dev 1.0.3-1 depends on librust-base64-0.21+default-dev, librust-sequoia-autocrypt-dev 0.25.1-1 depends on librust-base64-0.21+default-dev, librust-sequoia-net-dev 0.28.0-1 depends on librust-base64-0.21+default-dev, librust-sequoia-openpgp-dev 1.19.0-1 depends on librust-base64-0.21+default-dev, librust-serde-with-dev 3.4.0-2 depends on librust-base64-0.21+alloc-dev, librust-base64-0.21-dev, librust-sqlx-postgres-dev 0.7.3-1 depends on librust-base64-0.21+std-dev, librust-sshkeys-dev 0.3.2-1+b1 depends on librust-base64-0.21+default-dev, librust-totp-rs-dev 3.0.1-3 depends on librust-base64-0.21+default-dev, librust-tower-http-dev 0.4.4-3 depends on librust-base64-0.21+default-dev, librust-ureq-dev 2.9.1-3 depends on librust-base64-0.21+default-dev, librust-wycheproof-dev 0.5.0-1+b1 depends on librust-base64-0.21+default-dev, Source packages in unstable whose autopkgtests are triggered by rust-base64: rust-native-tls 0.2.11-2 triggered by librust-base64-dev=0.21.7-1 rust-octocrab 0.31.2-1 triggered by librust-base64-dev=0.21.7-1 rust-picky-asn1-der 0.4.0-1 triggered by librust-base64-dev=0.21.7-1 rust-psa-crypto 0.9.2-3 triggered by librust-base64-dev=0.21.7-1 rust-rustls 0.21.10-1 triggered by librust-base64-dev=0.21.7-1 rust-rustls-webpki 0.101.7-2.1 triggered by librust-base64-dev=0.21.7-1 rust-ttf-parser 0.19.1-2 triggered by librust-base64-dev=0.21.7-1 rust-webpki 0.22.4-2 triggered by librust-base64-dev=0.21.7-1 rust-wu-diff 0.1.2-1 triggered by librust-base64-dev=0.21.7-1 some of them, like rust-sequoia 1.20.0, have been tested successfully by upstream against 0.22.0, but upgrading directly to 0.22.0 could break the build of all of these packages. So, either we need to: - do a mass-testing event, patching the Cargo.toml of each of these reverse dependencies; if all the relevant tests succeed, then commit all these changes at once and push them into unstable as a batch. or: - upload a versioned rust-base64-0.21 that is capable of satisfying the existing reverse dependencies, and then upload 0.22 as the standad rust-base64. Then we can at our leisure fix each reverse dependency (hopefully pushing fixes into the upstream projects) The latter approach sounds more more plausible to me in terms of getting the ball moving sooner (mass testing is expensive to set up), though it could last a longer time than the former approach if a few packages linger. but maybe other rust packagers have other preferred workflows to tackle this kind of transition. In the meantime, i intend to upload a version of rust-sequoia-openpgp with a patched dependency that just depends on the older 0.21.7 version. --dkg -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
signature.asc
Description: PGP signature
