Bug#1098849: marked as done (rust-ureq - upcoming rust-rustls-pemfile update)

[Debian Bug Tracking System]

Your message dated Sat, 15 Mar 2025 16:44:44 +0000
with message-id <e1ttucu-006wm5...@fasolo.debian.org>
and subject line Bug#1098849: fixed in rust-ureq 2.12.1-4
has caused the Debian Bug report #1098849,
regarding rust-ureq - upcoming rust-rustls-pemfile update
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1098849: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: rust-ureq

I hope to update rust-rustls-pemfile soon. The version of rust-ureq
in Debian uses rustls 0.23 and rust-rustls-pemfile 2 upstream, but
is currently downpatched in Debian to rustls 0.21 and rustls-pemfile 1

Since both dependencies were downpatched by the same patch, and we
have the new version of rustls available in Debian, I removed the
downpatch for both rustls and rustls-pemfile. I then adjusted the
debian dependencies and the rest of the patches so the package could
be built successfully.

debdiff attatched.
diff -Nru rust-ureq-2.12.1/debian/changelog rust-ureq-2.12.1/debian/changelog
--- rust-ureq-2.12.1/debian/changelog   2025-02-09 09:01:54.000000000 +0000
+++ rust-ureq-2.12.1/debian/changelog   2025-02-25 04:23:32.000000000 +0000
@@ -1,3 +1,13 @@
+rust-ureq (2.12.1-3.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Disable debian/patches/2001_rustls.patch
+  * Update debian build-dependencies for rustls version change.
+  * Update 2001_rustls-native-certs.patch for new rustls.
+  * Update other debian patches to avoid fuzz issues.
+
+ -- Peter Michael Green <plugw...@debian.org>  Tue, 25 Feb 2025 04:23:32 +0000
+
 rust-ureq (2.12.1-3) unstable; urgency=medium
 
   * declare rust-related build-dependencies unconditionally,
diff -Nru rust-ureq-2.12.1/debian/control rust-ureq-2.12.1/debian/control
--- rust-ureq-2.12.1/debian/control     2025-02-09 09:01:54.000000000 +0000
+++ rust-ureq-2.12.1/debian/control     2025-02-25 04:23:32.000000000 +0000
@@ -18,9 +18,13 @@
  librust-log-0.4+default-dev,
  librust-native-tls-0.2+default-dev,
  librust-once-cell-1+default-dev,
- librust-rustls-0.21+default-dev,
+ librust-rustls-0.23+ring-dev,
+ librust-rustls-0.23+logging-dev,
+ librust-rustls-0.23+std-dev,
+ librust-rustls-0.23+tls12-dev,
  librust-rustls-native-certs-dev (<< 0.8),
- librust-rustls-pemfile-1+default-dev,
+ librust-rustls-pemfile-2+default-dev,
+ librust-rustls-pki-types-1+default-dev,
  librust-rustls-webpki-0.101+default-dev,
  librust-serde-1+default-dev,
  librust-serde-1+derive-dev,
diff -Nru rust-ureq-2.12.1/debian/patches/2001_rustls-native-certs.patch 
rust-ureq-2.12.1/debian/patches/2001_rustls-native-certs.patch
--- rust-ureq-2.12.1/debian/patches/2001_rustls-native-certs.patch      
2025-02-09 08:38:35.000000000 +0000
+++ rust-ureq-2.12.1/debian/patches/2001_rustls-native-certs.patch      
2025-02-25 03:44:01.000000000 +0000
@@ -6,12 +6,6 @@
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 --- a/Cargo.toml
 +++ b/Cargo.toml
-@@ -48,7 +48,7 @@
- cookie_store = { version = "0.21.1", optional = true, default-features = 
false, features = ["preserve_order", "serde_json"] }
- log = "0.4"
- webpki-roots = { version = "0.26", optional = true }
+@@ -51,1 +51,1 @@
 -rustls-native-certs = { version = "0.7", optional = true }
 +rustls-native-certs = { version = ">= 0.6.3, <= 0.7", optional = true }
- native-tls = { version = "0.2", optional = true }
- flate2 = { version = "1.0.22", optional = true }
- brotli-decompressor = { version = "4.0.0", optional = true }
diff -Nru rust-ureq-2.12.1/debian/patches/2002_native_certs.patch 
rust-ureq-2.12.1/debian/patches/2002_native_certs.patch
--- rust-ureq-2.12.1/debian/patches/2002_native_certs.patch     2025-02-09 
09:01:54.000000000 +0000
+++ rust-ureq-2.12.1/debian/patches/2002_native_certs.patch     2025-02-25 
04:23:32.000000000 +0000
@@ -4,61 +4,61 @@
 Last-Update: 2023-08-13
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -20,8 +20,8 @@
+Index: rust-ureq-2.12.1/Cargo.toml
+===================================================================
+--- rust-ureq-2.12.1.orig/Cargo.toml
++++ rust-ureq-2.12.1/Cargo.toml
+@@ -20,8 +20,8 @@ features = ["tls", "native-tls", "json",
  rustdoc-args = ["--cfg", "docsrs"]
  
  [features]
 -default = ["tls", "gzip"]
--tls = ["dep:webpki-roots", "dep:rustls"]
+-tls = ["dep:webpki-roots", "dep:rustls", "dep:rustls-pki-types"]
 +default = ["tls", "gzip", "native-certs"]
-+tls = ["native-certs", "dep:rustls"]
++tls = ["native-certs", "dep:rustls", "dep:rustls-pki-types"]
  native-certs = ["dep:rustls-native-certs"]
  native-tls = ["dep:native-tls"]
  json = ["dep:serde", "dep:serde_json"]
-@@ -47,7 +47,6 @@
+@@ -47,7 +47,6 @@ serde_json = { version = "1.0.97", optio
  encoding_rs = { version = "0.8", optional = true }
  cookie_store = { version = "0.21.1", optional = true, default-features = 
false, features = ["preserve_order", "serde_json"] }
  log = "0.4"
 -webpki-roots = { version = "0.26", optional = true }
+ rustls-pki-types = { version = "1", optional = true }
  rustls-native-certs = { version = ">= 0.6.3, <= 0.7", optional = true }
  native-tls = { version = "0.2", optional = true }
- flate2 = { version = "1.0.22", optional = true }
---- a/src/agent.rs
-+++ b/src/agent.rs
-@@ -596,13 +596,11 @@
+Index: rust-ureq-2.12.1/src/agent.rs
+===================================================================
+--- rust-ureq-2.12.1.orig/src/agent.rs
++++ rust-ureq-2.12.1/src/agent.rs
+@@ -595,9 +595,12 @@ impl AgentBuilder {
+     /// # fn main() -> Result<(), ureq::Error> {
      /// # ureq::is_test(true);
      /// use std::sync::Arc;
-     /// let mut root_store = rustls::RootCertStore::empty();
--    /// 
root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
--    ///     rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
--    ///         ta.subject,
--    ///         ta.spki,
--    ///         ta.name_constraints,
--    ///     )
--    /// }));
+-    /// let mut root_store = rustls::RootCertStore {
+-    ///   roots: webpki_roots::TLS_SERVER_ROOTS.iter().cloned().collect(),
+-    /// };
++    /// let mut root_store = rustls::RootCertStore::empty();
 +    /// for cert in rustls_native_certs::load_native_certs().expect("could 
not load platform certs") {
 +    ///     root_store
-+    ///         .add(&rustls::Certificate(cert.0))
++    ///         .add(cert.0.into())
 +    ///         .unwrap();
 +    /// }
      ///
      /// let tls_config = rustls::ClientConfig::builder()
-     ///     .with_safe_defaults()
---- a/tests/https-agent.rs
-+++ b/tests/https-agent.rs
-@@ -104,13 +104,11 @@
-         .clone();
- 
-     let mut root_store = rustls::RootCertStore::empty();
--    
root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
--        rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
--            ta.subject,
--            ta.spki,
--            ta.name_constraints,
--        )
--    }));
+     ///     .with_root_certificates(root_store)
+Index: rust-ureq-2.12.1/tests/https-agent.rs
+===================================================================
+--- rust-ureq-2.12.1.orig/tests/https-agent.rs
++++ rust-ureq-2.12.1/tests/https-agent.rs
+@@ -102,9 +102,12 @@ m0Wqhhi8/24Sy934t5Txgkfoltg8ahkx934WjP6W
+         .unwrap()
+         .unwrap();
+ 
+-    let root_store = rustls::RootCertStore {
+-        roots: webpki_roots::TLS_SERVER_ROOTS.iter().cloned().collect(),
+-    };
++    let mut root_store = rustls::RootCertStore::empty();
 +    for cert in rustls_native_certs::load_native_certs().expect("could not 
load platform certs") {
 +        root_store
 +            .add(&rustls::Certificate(cert.0))
@@ -66,40 +66,32 @@
 +    }
  
      let tls_config = rustls::ClientConfig::builder()
-         .with_safe_defaults()
-@@ -157,13 +155,11 @@
+         .with_root_certificates(root_store)
+@@ -149,9 +152,12 @@ m0Wqhhi8/24Sy934t5Txgkfoltg8ahkx934WjP6W
+ #[test]
  #[cfg(feature = "tls")]
  fn ipv6_addr_in_dns_name() {
-     let mut root_store = rustls::RootCertStore::empty();
--    
root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
--        rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
--            ta.subject,
--            ta.spki,
--            ta.name_constraints,
--        )
--    }));
+-    let root_store = rustls::RootCertStore {
+-        roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
+-    };
++    let mut root_store = rustls::RootCertStore::empty();
 +    for cert in rustls_native_certs::load_native_certs().expect("could not 
load platform certs") {
 +        root_store
-+            .add(&rustls::Certificate(cert.0))
++            .add(cert.0.into())
 +            .unwrap();
 +    }
  
      let tls_config = rustls::ClientConfig::builder()
-         .with_safe_defaults()
---- a/examples/tls_config.rs
-+++ b/examples/tls_config.rs
-@@ -20,14 +20,12 @@
-     //         .expect("Failed to add native certificate too root store");
+         .with_root_certificates(root_store)
+Index: rust-ureq-2.12.1/examples/tls_config.rs
+===================================================================
+--- rust-ureq-2.12.1.orig/examples/tls_config.rs
++++ rust-ureq-2.12.1/examples/tls_config.rs
+@@ -21,7 +21,12 @@ pub fn main() {
      // }
  
--    // This adds webpki_roots certs.
--    
root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
--        rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
--            ta.subject,
--            ta.spki,
--            ta.name_constraints,
--        )
--    }));
+     // This adds webpki_roots certs.
+-    root_store.roots = 
webpki_roots::TLS_SERVER_ROOTS.iter().cloned().collect();
 +    // This adds system-native certs.
 +    for cert in rustls_native_certs::load_native_certs().expect("could not 
load platform certs") {
 +        root_store
@@ -109,28 +101,20 @@
  
      // This is how we narrow down the allowed TLS versions for rustls.
      let protocol_versions = &[&TLS12, &TLS13];
---- a/src/rtls.rs
-+++ b/src/rtls.rs
-@@ -99,13 +99,11 @@
- #[cfg(not(feature = "native-certs"))]
- fn root_certs() -> rustls::RootCertStore {
-     let mut root_store = rustls::RootCertStore::empty();
--    
root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
--        rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
--            ta.subject,
--            ta.spki,
--            ta.name_constraints,
--        )
--    }));
-+    for cert in rustls_native_certs::load_native_certs().expect("could not 
load platform certs") {
-+        root_store
-+            .add(&rustls::Certificate(cert.0))
-+            .unwrap();
-+    }
-     root_store
- }
- 
-@@ -141,16 +139,8 @@
+Index: rust-ureq-2.12.1/src/rtls.rs
+===================================================================
+--- rust-ureq-2.12.1.orig/src/rtls.rs
++++ rust-ureq-2.12.1/src/rtls.rs
+@@ -69,7 +69,7 @@ fn root_certs() -> rustls::RootCertStore
+         vec![]
+     });
+     let (valid_count, invalid_count) =
+-        
root_cert_store.add_parsable_certificates(native_certs.into_iter().map(|c| 
c.into()));
++        
root_cert_store.add_parsable_certificates(native_certs.into_iter().map(|c| 
c.0.into()));
+     if valid_count == 0 && invalid_count > 0 {
+         error!(
+             "no valid certificates loaded by rustls-native-certs. all HTTPS 
requests will fail."
+@@ -118,16 +118,7 @@ impl TlsConnector for Arc<rustls::Client
  
  pub fn default_tls_config() -> Arc<dyn TlsConnector> {
      static TLS_CONF: Lazy<Arc<dyn TlsConnector>> = Lazy::new(|| {
@@ -145,7 +129,6 @@
 -        .with_protocol_versions(&[&rustls::version::TLS12, 
&rustls::version::TLS13])
 -        .unwrap() // Safety: the *ring* default provider always configures 
ciphersuites compatible w/ both TLS 1.2 & TLS 1.3
 +        let config = rustls::ClientConfig::builder()
-+            .with_safe_defaults()
          .with_root_certificates(root_certs())
          .with_no_client_auth();
          Arc::new(Arc::new(config))
diff -Nru rust-ureq-2.12.1/debian/patches/series 
rust-ureq-2.12.1/debian/patches/series
--- rust-ureq-2.12.1/debian/patches/series      2025-02-09 08:49:10.000000000 
+0000
+++ rust-ureq-2.12.1/debian/patches/series      2025-02-25 03:42:13.000000000 
+0000
@@ -1,6 +1,6 @@
 1001_env_logger.patch
 2001_hootbin.patch
-2001_rustls.patch
+#2001_rustls.patch
 2001_rustls-native-certs.patch
 2002_native_certs.patch
 2003_no_net.patch

--- End Message ---

--- Begin Message ---

Source: rust-ureq
Source-Version: 2.12.1-4
Done: Jonas Smedegaard <d...@jones.dk>

We believe that the bug you reported is fixed in the latest version of
rust-ureq, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1098...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated rust-ureq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 15 Mar 2025 16:07:15 +0100
Source: rust-ureq
Architecture: source
Version: 2.12.1-4
Distribution: unstable
Urgency: medium
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Closes: 1098849
Changes:
 rust-ureq (2.12.1-4) unstable; urgency=medium
 .
   * reduce patch 2001_rustls to not involve crate rustls-pemfile;
     bump build- and autopkgtest-dependencies
     for crate rustls-pemfile;
     closes: bug#1098849, thanks to Peter Michael Green
   * declare compliance with Debian Policy 4.7.2
Checksums-Sha1:
 582509ab7bf7b8b12db49e73c4c31c78c919de46 3394 rust-ureq_2.12.1-4.dsc
 d039e7c80237d2aaa08229f70aaeab2ce6e7c13e 11608 rust-ureq_2.12.1-4.debian.tar.xz
 722a95d4b29a1924819c07ba2dc95b80fb1f9468 17427 
rust-ureq_2.12.1-4_amd64.buildinfo
Checksums-Sha256:
 eb4c5a10e5666f9dfaa4a44fc4de1fc304eeec9fcb2c596918d3994b3e195450 3394 
rust-ureq_2.12.1-4.dsc
 2fcabc267e84bf174fa34bcbbe517d148ef121d37c86b57a809ad14aa1371dcc 11608 
rust-ureq_2.12.1-4.debian.tar.xz
 bda667f28f2210fb642066f17a52c1770b12085773325b1b9a2689706df44849 17427 
rust-ureq_2.12.1-4_amd64.buildinfo
Files:
 9d68d98bf9ab35420bda4862ae1de31b 3394 rust optional rust-ureq_2.12.1-4.dsc
 49ecb144ac497545feea2867dc15b339 11608 rust optional 
rust-ureq_2.12.1-4.debian.tar.xz
 c63bbbdc1aaf67a89f6504e3b87b5960 17427 rust optional 
rust-ureq_2.12.1-4_amd64.buildinfo


-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJn1aBTCRAsfDFGwaABIUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmehcRXixzNnhNjMrFwPjTfhyjQn+2FxYO78e17lSloM
VBYhBJ/j6cNmkaaf9TzGhCx8MUbBoAEhAADZIxAApldoACUH+lvbDQjiDj+Tzpmy
qgniNi0nsmJwXphptQj71pxH33JY6NOnKrMAQhoad4FxFSP3nBP1QU5i1NIdSjvp
oKvoN4A1pYf4tXDwYsYSHfktoXxA/vId3IDccyb/EwsG56nXv92cUOn7zsULCtmI
iqb43UhbnZKUrhOXnj5Ko4QR34oZTU2uz9TmZZklmikyKMkTb3nSvynrO0ZAJCFf
DhAkdyxvNmn/Ffhxlfo1gNeEaUSuVOXaTlZIZZq5bKxalvBvQujjCOOHiq/zPUMy
sLvq5tvfFfG6vF5UCY2F+BEq1Qpvn7KBWhjoNLzRkf0paLuEM49IPzC+OuDbJ7VP
sG71Oj4rjI7j4/snaGrg02wnZ5OoL3Vr1LvaN0ke+pUpC+HCpVqdk4Qfr/D483eO
tz2EM9T59+kUKAwfszed2Ut+4Q9MaKXtYW3VumRIniYF4E7Sz8z3D9McbpoNBhn/
5RScMgTLNbz/4VJVf1x4dd0xt3q8WlK2gNriQrBA5iUjnpHml2e7BrrghWD7IC4q
sj9O6nkDklapf7UiNq5DhtyCZ6d4uiO7onZR0EeNU8NtalfnDP3EaJw5m//qK7IJ
f2oQIbhqw6dZZcX5u0iTGXxQFwVjKakz9WEQfVOe1iniSQCaIdiGE6TNSloIv3nN
cRugb1a1UDVnH30uNUg=
=6pp3
-----END PGP SIGNATURE-----

pgpSH0TjKPYV_.pgp
Description: PGP signature

--- End Message ---