Created attachment 457824 [details] Result of build with Rust debugging I just updated Rust to 1.14.0 from 1.13.0, and trying to update cargo from 0.14.0 to 0.15.0 is failing with libressl. If you can see at /var/tmp/portage/dev-util/cargo-0.15.0/work/cargo_home/gentoo/openssl-sys-0.9.1/build.rs:243, seems like isn't recognizing libressl due OpenSSL verification by OPENSSL_VERSION_NUMBER, reaching a hardcoded panic line code.
According to https://github.com/sfackler/rust-openssl/releases , the libressl incompatibility has been fixed in version 0.9.4 of the openssl-sys crate; hence bumping the bundled version of this crate to the latest release should be enough to fix the issue.
Its not so simple. Cargo ships with its own lock file that is set to openssl-0.9.1 so the build process will always use that. And its not a trivial patch because there are cross dependencies on different versions between libssh2, libgit and openssl. I think we'll just USE mask libressl for this version.
Yes, I've tried patching this and it's indeed not as easy as I expected. The current versions of the openssl crates have some new dependencies, so quite some changes to Cargo.lock are required to bump them. USE-masking libressl would be bad, though; due to dev-lang/rust's PDEPEND on the latest cargo version, this would mean that libressl users couldn't update to Rust 1.14.
Created attachment 459232 [details, diff] dev-util/cargo: Bump openssl crate to 0.9.5 Here's a patch for the cargo ebuild; it updates Cargo.lock to pull in openssl{,-sys}-0.9.5, libgit2-sys-0.6.6 and their new dependencies. The patch can also be pulled from https://github.com/atlaua/gentoo, branch aranea/cargo-libressl. I've also askes upstream to update their Cargo.lock accordingly: https://github.com/rust-lang/cargo/issues/3516
I think you're unlikely to get that to happen. What using asking for is a re-release of 0.15.0 as 0.15.1 with an updated Cargo.lock.
(In reply to Doug Goldstein from comment #5) > I think you're unlikely to get that to happen. What using asking for is a > re-release of 0.15.0 as 0.15.1 with an updated Cargo.lock. Sure thing; I wouldn't expect anyone to modify tarballs of already released software versions. :) But since upstream includes the Cargo.lock file in their git repository (which seems weird to me, btw, but I don't know much about the Rust ecosystem yet), it seems warranted to ask for a (patch) release when the crate versions they're pulling in are buggy.
I'm closing this bug since Doug indicated [1] he won't fix it. (By the way, I'd appreciate an explanation for this, just out of curiosity.) [1] https://github.com/rust-lang/cargo/pull/3521#issuecomment-271656647