#1009888 rust-h2, existing version is badly broken, new upstream needs new package

Package:
rust-h2
Source:
rust-h2
Submitter:
Peter Michael Green
Date:
2022-06-21 16:36:04 UTC
Severity:
grave
#1009888#5
Date:
2022-04-19 22:33:07 UTC
From:
To:
I noticed that Jonas had set a number of bugs about broken rust packages as
blockers of 900928, so I decided to take a look at some of them. I fixed up
bytemuck, image and related packages.

I then started looking at reqwest which lead me to h2 (which has been broken
since the tokio 1.x transition but noone ever got around to filing a
bug) which
lead me to http which jonas recently NMU'd.

I feel I need to comment on the technical details of the NMU, I should
preface
this by saying that I don't think it's unreasonable to 0-day NMU a minimal
fix for a long term RC issue, even if (as was not the case here but was the
case for some of the other NMUs noone ever bothered to actually file the
RC bug).

However, this NMU did considerably more than just add a minimal fix for
the rc issue. Most painfullly, the "orig" tarball for the new upstream
version
appears to have been derived from upstream git rather than from crates.io
and this breaks our workflow. If you are going to 0-day stuff please keep
your uploads minimal. If you want to do more invasive NMUs please give
the maintainers a chance to respond.

Fortunately it seems the answer is to move to an even newer upstream
version. The only reverse dependencies of rust-http seem to be the
h2/hyper stack which badly needs an update to move away from tokio
0.x. I have already committed the http update to debcargo-conf and may
upload it at some point.

Unfortunately moving back up the stack I ran into another issue. h2 and
hyper have grown a new dependency on tracing. While I am I am happy to
help with fixing existing rust packages, I am reluctant to take
responsibility
for a new package unless it's something I personally use.

So this is where I personally tap out on h2/hyper until/unless someone
packages tracing.
#1009888#10
Date:
2022-04-20 09:21:29 UTC
From:
To:
Quoting Peter Michael Green (2022-04-20 00:33:07)

Thanks, much appreciated.

Thanks for elaborating on the kinds of pain my NMU caused.  That is
helpful.

(In hindsight I could have made a smaller non-problematic NMU by fixing
only the FTBFS issue, ignoring the security issue)


 - Jonas
#1009888#15
Date:
2022-04-20 09:39:28 UTC
From:
To:
we use this stack (h2/hyper) downstream, I can take care of it over the
coming weeks. tracing is unfortunately still rather in-flux, so it will
likely see frequent upgrades.
#1009888#22
Date:
2022-05-01 13:00:05 UTC
From:
To:
okay, just pushed the following to debcargo-conf:
- update of hyper
- update of httparse
- update of http-body
- switch of http to iota 1.x

currently progress is blocked on
- itoa/serde_json transition (anybody working actively on that?)
- tracing being uploaded (capitol?)
- tower-service being uploaded (NEW, RFS, please upload!)

once all of the above is in the archive, the current version of h2 also
builds fine ;)
#1009888#27
Date:
2022-05-01 17:28:18 UTC
From:
To:
I just uploaded the new itoa to experimental and took a quick look
through the reverse dependencies.

rust-cssparser - already broken and not in testing.
rust-csv - built/tested fine after patching to use itoa 1, upstream also
has an unreleased change switching to itoa1 with no code changes.
rust-http - fixed version in debcargo-conf (semver breaking, but all
rdeps are broken right now anyway)
rust-hyper - already broken and not in testing.
rust-num-format - already broken and not in testing.
rust-serde-json - fixed version in debcargo-conf (not semver breaking)
rust-serde-urlencoded - fixed upstream (semver breaking, but all rdeps
are broken right now anyway)
rust-time - fixed upstream (not semver breaking)

I'm not seeing any reason not to go ahead with pushing this to unstable,
anyone have any comments before I go ahead?
#1009888#32
Date:
2022-05-02 07:33:13 UTC
From:
To:
LGTM - wasn't me who prepared those (itoa / serde_json) though ;) Carlos
did, but they seem to not hang out on IRC atm.
#1009888#43
Date:
2022-06-21 11:33:13 UTC
From:
To:
What is status of this bug?

Reading backlog it seems there was progress, but conversation when quiet
more than a month ago...


 - Jonas
#1009888#48
Date:
2022-06-21 13:35:59 UTC
From:
To:
Status is that h2 still needs tower-service, Fabian prepared it but noone
got around to sponsoring it. I've just updated and uploaded it. Now it
needs to get through NEW.
#1009888#53
Date:
2022-06-21 16:24:27 UTC
From:
To:
Seems I was mistaken, h2 doesn't actually depend on tower-service.
That is only needed for stuff further down the stack.
#1009888#58
Date:
2022-06-21 16:33:55 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
rust-h2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1009888@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Michael Green <plugwash@debian.org> (supplier of updated rust-h2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 21 Jun 2022 15:47:48 +0000
Source: rust-h2
Architecture: source
Version: 0.3.13-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
Changed-By: Peter Michael Green <plugwash@debian.org>
Closes: 1009888
Changes:
 rust-h2 (0.3.13-1) unstable; urgency=medium
 .
   * Team upload.
   * Package h2 0.3.13 from crates.io using debcargo 2.5.0 (Closes: 1009888)
   * Disable tests that require test data which is not included
     in the crates.io release.
   * Disable example that relies on tokio-rustls.
Checksums-Sha1:
 44606eebc94c7d76ac28dd50d1ce1f9add629c04 3125 rust-h2_0.3.13-1.dsc
 2629bb32e3bab99d4a9ba90b37d4f60994c03e85 161962 rust-h2_0.3.13.orig.tar.gz
 e6d0a5c85f1f6ae3a2300655bae67b186f94ba6c 3852 rust-h2_0.3.13-1.debian.tar.xz
 82844f677df0b60a136202d3376a63d6efa7ac82 11098 rust-h2_0.3.13-1_source.buildinfo
Checksums-Sha256:
 cf2bc77c087283e189b460fb5c629e90fbfd02e2ccd19400d81b0fe72c57e13a 3125 rust-h2_0.3.13-1.dsc
 37a82c6d637fc9515a4694bbf1cb2457b79d81ce52b3108bdeea58b07dd34a57 161962 rust-h2_0.3.13.orig.tar.gz
 f7209deee7636d3b20d51934b3853abb0d0d5338a215238830c2c349c8737ef2 3852 rust-h2_0.3.13-1.debian.tar.xz
 7a0b07a7fc09f1068900d7329e4bfcdf6c96822d76e46c6ece2e8531e8c4bb9d 11098 rust-h2_0.3.13-1_source.buildinfo
Files:
 2a201fa2b145208980b5569659779519 3125 rust optional rust-h2_0.3.13-1.dsc
 576e03703c56261f14e5aeccfba0b4c9 161962 rust optional rust-h2_0.3.13.orig.tar.gz
 ab9657d7414b1d08e4408b089a837eac 3852 rust optional rust-h2_0.3.13-1.debian.tar.xz
 85382a7bb9e53156b70f7461b429f88f 11098 rust optional rust-h2_0.3.13-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmKx8JoUHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XtKSg//fHp+BCg6TJ6+he2NK74euZ7iPkVc
HIT+G/UK3d+Av2BxajkLMzpTJBUWqEgn06qzMHuS0y/swk1HBDSOxjELAQO67Q1d
9YLtH/aaMPC9IjKDjzP/bT6Lz/XqR/e4/6Jypp2OyQXcb9CREMjLW2ZJ6Tr96dMP
qBdNsHhAP/LxvmTHOyl5XnIt+Sy/CVO3O4FfzFmYQV+cDU/Wj1rCBNt/oPkVCGxE
2yMYlFmjZW2/QF9MzuwWSFapQ7liri2ANODrpQPYD4e15qZlNLKe/aTTaOf5eaGz
0dU52QQCwTgYlNKoggx6Vajm4gi/pjuoP7z1XK7DVSxIxOSV1f+DzySONWTtBj5Y
bz8434rGguwMmPipDBeEP1+dO5C20GeDWIijKX99MFfjlo8I7q4Mp2SnM3TyoGL2
Fui1yICFx7J1IAPKLiGydaN7miFip9AmL02jK9Vr5t5CO8YeNThb1fChNSbuycka
ZBUbR9mP9rj0qxCvMQEN28zbS0QzrvMLIjPt7MxsAZd9GVGay6S7GPMHKcf7JJ5b
FIg7D/qxB+Uwx1iseH9QhcrKq9EAymhovIoDzg7ph5VM3LZ3yaXIDKz27u/5NVZr
CVcusknP4HVOLdqR193ykpAAelBGIp33iQrhDd6/hN0aseb9gj/LXwoy5/WAtnon
t+AS7ysN2CQaVS0=
=0+/c
-----END PGP SIGNATURE-----