=== chris14_ is now known as chris14
=== codingkoopa7 is now known as codingkoopa
liushuyuHi security team, I would like to backport rustc toolchain to JJ with LLVM 15. I am not sure if you are okay to pull LLVM 15 into the security pocket (due to the transitive requirements from Firefox)?21:20
tewardliushuyu: just doing due diligence as someone with core dev powers, when you say "backport" do you mean as it would land in -updates or -security, or that it would end up in -backports for a given release?  (have to ask)21:24
liushuyuteward: No problem! Since rustc itself would be landed in -security (due to direct requirements from Firefox), I believe that makes its dependency also lives in -security...?21:26
tewardliushuyu: the only reason I was asking was because if you intended that ot land via -backports it'd be instant-rejected as a potential backport because the backports process has a sweeping 'no compilers/toolchain backports' in that pocket.  Hence my making sure you're actually talking about backport via -security (as a Security update) or -updates (as a standard SRU or such).21:27
teward(just to save the security team some time and confusion when they address your question)21:27
liushuyurustc and cargo usually do not go through the normal -proposed and SRU process due to the effect cast upon by Firefox (Firefox needs very up-to-update Rust toolchains)21:28
tewardthat reminds me, i forget, in 22.04 Jammy did we force a transitional package to migrate to the snap, or did we keep the .deb because of proximity-to-release they made.21:28
tewardasking again because I seem to remember there being a bit of chaos around 22.04 about Firefox pushing for snapped vs. deb installered21:29
liushuyuteward: IIRC Snap also uses in-archive Rust toolchains21:29
tewardliushuyu: independent of the snap-compiled-into-it toolchains? If that were the case then anyone doing `sudo snap install firefox` would also need .deb versions21:30
tewardhence why i'm asking about whether this is snapped or not because while yes it requires in-archive Rust toolchains there's different OS base versions21:30
tewardbut i digress21:30
tewardforgive my poking and asking :)21:30
teward*sips coffee*21:30
liushuyuteward: I think for the Snap transition question, JJ did transition to Snap version21:32
liushuyu[Snap version] ... of the Firefox21:32
tewardi can find out.  *grabs his laptop from his backpack and boots it*21:36
tewardbut still, not my call for -security stuff :)21:36
tewardbut any time i see "backport" said it is a ping word in my clients, so I have to make sure that what you mean about a backport is a-la Security type backports or such, not the actual Backports process ;021:37
liushuyuOkay. And I think also because there was a CVE in cargo21:38
liushuyu(properly fixed in version 0.67.1, we have a patched fix in version 0.66.0)21:40
=== chris15 is now known as chris14
eslermhi liushuyu23:17
eslermllvm-toolchain-15 was backported to Jammy (LP#1991761)23:18
-ubottu:#ubuntu-security- Launchpad bug 1991761 in spirv-llvm-translator-15 (Ubuntu Jammy) "Backport packages for 22.04.2 HWE stack" [Undecided, Fix Released] https://launchpad.net/bugs/199176123:18
eslermwould an update to rustc's d/control, to use llvm 15, resolve this?23:18
liushuyueslerm: I think the issue would be rustc is not in the -updates repository (it is in the security pocket) while LLVM 15 in JJ is in the -updates23:21
chrisccoulsonhi liushuyu23:24
liushuyuchrisccoulson: Hi23:24
chrisccoulsonif you want to build rustc for the security pocket, it's fine to do a rebuild of llvm-toolchain-15 from the updates pocket (with a version bump) for the security pocket too23:24
liushuyuchrisccoulson: understood23:25
chrisccoulsonliushuyu, from looking at bug 1991761, you might need more than llvm-toolchain-15. It might be worth also having a chat with tjaalton23:29
-ubottu:#ubuntu-security- Bug 1991761 in spirv-llvm-translator-15 (Ubuntu Jammy) "Backport packages for 22.04.2 HWE stack" [Undecided, Fix Released] https://launchpad.net/bugs/199176123:29
liushuyuchrisccoulson: Thank you! Although rustc itself only needs fraction of llvm-toolchain-15 (only needs a subset of the binary packages)23:31
chrisccoulsonliushuyu, yeah, it looks like the llvm-toolchain-15 source package will need other packages in the security pocket in order to build the packages that you need. But it's worth syncing with tjaalton just to make sure that this backport of LLVM is intended to be consumed by things outside of the HWE stack, and also to make sure he's aware that you're also going to be depending on this backport to minimize the chances of rust 23:35
chrisccoulsonbeing broken from future updates23:35
liushuyuchrisccoulson: Okay. I will talk to them.23:42

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!