[21:20] <liushuyu> Hi security team, I would like to backport rustc toolchain to JJ with LLVM 15. I am not sure if you are okay to pull LLVM 15 into the security pocket (due to the transitive requirements from Firefox)?
[21:24] <teward> liushuyu: just doing due diligence as someone with core dev powers, when you say "backport" do you mean as it would land in -updates or -security, or that it would end up in -backports for a given release?  (have to ask)
[21:26] <liushuyu> teward: No problem! Since rustc itself would be landed in -security (due to direct requirements from Firefox), I believe that makes its dependency also lives in -security...?
[21:27] <teward> liushuyu: the only reason I was asking was because if you intended that ot land via -backports it'd be instant-rejected as a potential backport because the backports process has a sweeping 'no compilers/toolchain backports' in that pocket.  Hence my making sure you're actually talking about backport via -security (as a Security update) or -updates (as a standard SRU or such).
[21:27] <teward> (just to save the security team some time and confusion when they address your question)
[21:28] <liushuyu> rustc and cargo usually do not go through the normal -proposed and SRU process due to the effect cast upon by Firefox (Firefox needs very up-to-update Rust toolchains)
[21:28] <teward> that reminds me, i forget, in 22.04 Jammy did we force a transitional package to migrate to the snap, or did we keep the .deb because of proximity-to-release they made.
[21:29] <teward> asking again because I seem to remember there being a bit of chaos around 22.04 about Firefox pushing for snapped vs. deb installered
[21:29] <liushuyu> teward: IIRC Snap also uses in-archive Rust toolchains
[21:30] <teward> liushuyu: independent of the snap-compiled-into-it toolchains? If that were the case then anyone doing `sudo snap install firefox` would also need .deb versions
[21:30] <teward> hence why i'm asking about whether this is snapped or not because while yes it requires in-archive Rust toolchains there's different OS base versions
[21:30] <teward> but i digress
[21:30] <teward> forgive my poking and asking :)
[21:30] <teward> *sips coffee*
[21:32] <liushuyu> teward: I think for the Snap transition question, JJ did transition to Snap version
[21:32] <liushuyu> [Snap version] ... of the Firefox
[21:36] <teward> i can find out.  *grabs his laptop from his backpack and boots it*
[21:36] <teward> but still, not my call for -security stuff :)
[21:37] <teward> but any time i see "backport" said it is a ping word in my clients, so I have to make sure that what you mean about a backport is a-la Security type backports or such, not the actual Backports process ;0
[21:38] <liushuyu> Okay. And I think also because there was a CVE in cargo
[21:40] <liushuyu> (properly fixed in version 0.67.1, we have a patched fix in version 0.66.0)
[23:17] <eslerm> hi liushuyu
[23:18] <eslerm> llvm-toolchain-15 was backported to Jammy (LP#1991761)
[23:18] -ubottu:#ubuntu-security- Launchpad bug 1991761 in spirv-llvm-translator-15 (Ubuntu Jammy) "Backport packages for 22.04.2 HWE stack" [Undecided, Fix Released] https://launchpad.net/bugs/1991761
[23:18] <eslerm> would an update to rustc's d/control, to use llvm 15, resolve this?
[23:21] <liushuyu> eslerm: I think the issue would be rustc is not in the -updates repository (it is in the security pocket) while LLVM 15 in JJ is in the -updates
[23:24] <chrisccoulson> hi liushuyu
[23:24] <liushuyu> chrisccoulson: Hi
[23:24] <chrisccoulson> if you want to build rustc for the security pocket, it's fine to do a rebuild of llvm-toolchain-15 from the updates pocket (with a version bump) for the security pocket too
[23:25] <liushuyu> chrisccoulson: understood
[23:29] <chrisccoulson> liushuyu, from looking at bug 1991761, you might need more than llvm-toolchain-15. It might be worth also having a chat with tjaalton
[23:29] -ubottu:#ubuntu-security- Bug 1991761 in spirv-llvm-translator-15 (Ubuntu Jammy) "Backport packages for 22.04.2 HWE stack" [Undecided, Fix Released] https://launchpad.net/bugs/1991761
[23:31] <liushuyu> chrisccoulson: Thank you! Although rustc itself only needs fraction of llvm-toolchain-15 (only needs a subset of the binary packages)
[23:35] <chrisccoulson> liushuyu, yeah, it looks like the llvm-toolchain-15 source package will need other packages in the security pocket in order to build the packages that you need. But it's worth syncing with tjaalton just to make sure that this backport of LLVM is intended to be consumed by things outside of the HWE stack, and also to make sure he's aware that you're also going to be depending on this backport to minimize the chances of rust 
[23:35] <chrisccoulson> being broken from future updates
[23:42] <liushuyu> chrisccoulson: Okay. I will talk to them.