Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rustsec crate locked to yanked versions of tame-index #1156

Open
tarcieri opened this issue Mar 26, 2024 · 5 comments
Open

rustsec crate locked to yanked versions of tame-index #1156

tarcieri opened this issue Mar 26, 2024 · 5 comments
Assignees
@Shnatsel

Comments

@tarcieri
Copy link
Member

tarcieri commented Mar 26, 2024
edited

The rustsec crate (and its v0.29.1 release) are currently locked to tame-index >= v0.9.8

https://github.com/rustsec/rustsec/blob/30b098c/rustsec/Cargo.toml#L27

However, v0.9.8 and v0.9.9 have been yanked:

https://crates.io/crates/tame-index/versions

This results in the following error from Cargo:

https://github.com/rustsec/rustsec/actions/runs/8429297259/job/23083332878

   Updating crates.io index
error: failed to select a version for the requirement `tame-index = "^0.9.8"`
candidate versions found which didn't match: 0.10.0, 0.9.7, 0.9.6, ...
location searched: crates.io index
required by package `rustsec v0.29.1 (/home/runner/work/rustsec/rustsec/rustsec)`
perhaps a crate was updated and forgotten to be re-vendored?

If you cargo install cargo-audit, it downgrades to rustsec v0.29.0 to work around this.
@Shnatsel
Copy link
Member

I don't want to rush this because the latest tame-index upgraded to a newer gix which upgraded to a newer reqwest which broke things: #1151

We need to be careful with the upgrade, and make sure we don't break compilation for users again. Downgrade to 0.29.0 is fine because the only change in 0.29.1 is bumping gix and tame-index.

@tarcieri
Copy link
Member Author

As things stand the current tame-index requirement in the rustsec crate is unsatisfiable and that's breaking CI. To the extent some parts of it pass is only because the yanked tame-index v0.9.8 is already in Cargo.lock.

Can we get the build green again, at least?

@Shnatsel
Copy link
Member

There is no tame-index version that ships with the gix we're currently using, so we have to switch to either an older or a newer version of gix. Rolling back is less work, rolling forward is more risky.

I think just bumping to tame-index 0.10 and its associated gix is the best option now that the unrelated semver-breaking changes in gix are sorted? We'll have to do it sooner or later anyway, it's just potentially a lot of work.

Maybe I should have just raised an issue with tame-index upstream instead of shipping a hotfix to unblock builds everywhere ASAP. This is kind of a mess now 😞

@tarcieri
Copy link
Member Author

Can we roll back? The other changes would remain in git history and could be used as the basis of the branch to fully upgrade.

@Shnatsel
Copy link
Member

Yeah, I don't see why not. Just set gix and tame-index to lower versions, I don't think we even needed any code changes on our side for that upgrade.

@Shnatsel Shnatsel mentioned this issue Apr 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Shnatsel Shnatsel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @Shnatsel