| Summary: | gnome-base/librsvg-2.48.8: restore ability to build without rust | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | tonemgub |
| Component: | Current packages | Assignee: | Gentoo Linux Gnome Desktop Team <gnome> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | normal | CC: | fturco, luke-jr+gentoobugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://wiki.gentoo.org/wiki/Project:GNOME/3.36-notes | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
There are compatibility issues with sticking to the old version (more and more things will break and not look right as they update), and this code is not optional in the newer version last I know of. adwaita-icon-theme notably already warn about this: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f089c65c66018d722857a2f1aacc6dd8b02d9d44 If building rust is an issue it's suggested to `emerge -1 dev-lang/rust-bin` instead, if it's a low ram machine (~2GB), then also use MAKEOPTS=-j1 for building librsvg. Masking the latest version is a very very bad idea. It has various known security issues and your machine may get exploited by them, as librsvg could be used for parsing SVG from untrusted sources. rust-bin installs fast, is only necessary while compiling librsvg, and objecting it is similar to objecting gcc being installed or something. If you want to avoid toolchains that are needed to compile software, then traditional Gentoo isn't the distribution for you, as it is all about compiling from source code on your own machine. Upstream librsvg has required rust to build for 2.5 years now, we just caught up rather late. There's currently no trustless/secure way to get a Rust compiler. (Just trusting someone else's binary defeats a major use case for Gentoo...) Don't really have a good solution, just throwing in more details. :/ Seems there's a fork that was started and it's receiving security fixes (not sure for compatibility). It's probably too early to consider it in gentoo (could end up being a dead fork), but figured I'd mention it.. not for those that want to avoid rust but rather for those that can't use rust even if they want to. https://github.com/oaken-source/librsvg-og (In reply to Ionen Wolkens from comment #4) > Seems there's a fork that was started and it's receiving security fixes (not > sure for compatibility). I see only a single change, fixing a memory leak. If there are security issues in 2.40.21, they are not fixed in this fork. :/ (In reply to Mart Raudsepp from comment #2) > Masking the latest version is a very very bad idea. It has various known > security issues and your machine may get exploited by them, as librsvg could > be used for parsing SVG from untrusted sources. Can you elaborate? Looking at upstream and its CVEs, I see none that aren't fixed in 2.40.21... Furthermore, 2.40.21 was only just released in February, and I see nothing to indicate upstream has stopped maintaining it themselves? (In reply to Luke-Jr from comment #5) > Furthermore, 2.40.21 was only just released in February, and I see nothing > to indicate upstream has stopped maintaining it themselves? It's in the NEWS for 2.40.20 (2.40.21 seem to have fell under the "for emergencies"): > Version 2.40.20 > - Except for emergencies, this will be the LAST RELEASE of the > librsvg-2.40.x series. We are moving to 2.41, which is vastly > improved over the 2.40 series. The API/ABI there remain unchaged, > so we strongly encourage you to upgrade your sources and binaries to > librsvg-2.41.x. Fixing security issues won't fix any arising compatibility issues though, so it's likely to get more and more unusable while the rust version move forward. So someone to actually backport those changes will be necessary. I'm not sure what security issues 2.40.21 have either (if any), maybe notes were for 2.40.20 and weren't updated. |
I admit I don't know if this is possible and did not know upstream was straying so far away from sanity by requiring even more dependencies. However, I would like to build gnome-base/librsvg without rust. This was possible up until the latest stabilization, literally less than a week ago. For now I am masking the latest version. >=gnome-base/librsvg-2.48.8 dev-lang/rust app-eselect/eselect-rust dev-lang/rust-bin virtual/rust Reproducible: Always