Open Bug 1897829 Opened 6 months ago Updated 4 months ago

Upgrade sha2 rust crate in crashreporter to bypass an hardcoded dependency

Categories

(Toolkit :: Crash Reporting, defect)

Product:
Toolkit
Component:
Crash Reporting
Type:
defect

Tracking

()

Status:
ASSIGNED

People

(Reporter: beurdouche, Assigned: beurdouche)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

WIP: Bug 1897829 - Upgrade sha2 rust crate in crashreporter
48 bytes, text/x-phabricator-request
Details | Review

In Bug 1883321 I will ship dependencies that need the latest version subtle (0.5) which is pinned to 0.4 by crashreporter's digest dependency.

In crashreporter the version of the sha2 rust crate is set to =0.10.

  • crashreporter needs sha2=0.10 [0]
  • the build system typically picks sha2 0.10.6 which needs digest=^0.10.6 [1]
  • digest 0.10.6 is picked but is hardcoding subtle=0.4 which caps the version of subtle by mistake

The problem of pining the version of subtle was fixed in digest 0.10.7 therefore I propose to patch the sha2 version of crash reporter to sha2=^0.10.7 which has transitive dependencies containing the fix by using digest ^0.10.7 and subtle ^0.5.
This will also allow the toolchain to upgrade the version of all dependencies as expected.

The severity field is not set for this bug.
:gsvelto, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(gsvelto)
Severity: -- → S3
Flags: needinfo?(gsvelto)

Note that the version in the crashreporter Cargo.toml was not =0.10, it was ^0.10 (https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#caret-requirements). This means that a cargo update sha2 digest may have been sufficient (though other factors may be involved).

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: