Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to update to v0.22.2 #1627

Closed
TethysSvensson opened this issue Jan 3, 2022 · 7 comments
Closed

Unable to update to v0.22.2 #1627

TethysSvensson opened this issue Jan 3, 2022 · 7 comments

Comments

@TethysSvensson
Copy link
Contributor

I currently have a (transitive) dependency for nix v0.22.0 that I am unable to update to v0.22.2.

I am unable to update, because I also have a (transitive) dependency for bitflags v1.3.0, and cargo chooses to unify those dependencies by picking nix v0.22.0.

This is a problem for me, because I would like add a cargo audit check to my CI, and nix v0.22.0 is affected by RUSTSEC-2021-0119.

Would it be possible for your to backport #1607 to the v0.22 branch, and do a new release?
@TethysSvensson TethysSvensson changed the title Unable to update to v0.22.2. Unable to update to v0.22.2 Jan 3, 2022
@hecrj
Copy link

hecrj commented Jan 12, 2022
edited

iced is also affected by this issue.

cargo will pick the versions with the vulnerability in order to use the most recent bitflags version. Users have to manually upgrade:

cargo update --package nix:0.20.0 --precise 0.20.2
cargo update --package nix:0.22.0 --precise 0.22.2

This forces cargo to downgrade bitflags to 1.2.1.

It'd be great to have new 0.20.3 and 0.22.3 releases without the bitflags restriction, ensuring the nix ecosystem is secure by default.

@hecrj hecrj mentioned this issue Jan 13, 2022
Merged
@rtzoeller
Copy link
Collaborator

@asomers is this something you're able to do? AFAIK I don't yet have permission to publish to crates.io.

@asomers
Copy link
Member

asomers commented Jan 22, 2022

Firstly, is Nix 0.23.0 not an option for you? Secondly, is it not an option to ignore that cargo-audit warning? The vulnerability is really not very serious. Except in a few exotic configurations only root can exploit it, and it only affects one rarely-used function.

@TethysSvensson
Copy link
Contributor Author

I am already using 0.23 as well, but multiple places deep in my dependency chains are depending on 0.22.

Yes, I can ignore the cargo audit warning, but it doesn't really solve the underlying issue: I need to choose between using an old version of nix or an old version of bitflags.

Suppose you have (transitive) depencies for nix 0.22 and bitflags 1.0. The best resolutions cargo can pick for this situation is either (nix=0.22.0, bitflags=1.3.0) or (nix=0.22.2, bitflags=1.2.0).

Now suppose that you (like me) have a transitive dependency for bitflags 1.3.0 as well. In this case one of those option goes away and I'm left with only the option (nix=0.22.0, bitflags=1.3.0).

This means that if any of my (transitive) dependencies were to introduce a requirement for nix 0.22.2, then cargo would be unable to resolve those requirements at all, and I would be unable to compile my project.

@asomers asomers mentioned this issue Jan 23, 2022
Merged
@asomers
Copy link
Member

asomers commented Jan 23, 2022

Here you go: https://crates.io/crates/nix/0.22.3

@asomers asomers closed this as completed Jan 23, 2022
@TethysSvensson
Copy link
Contributor Author

Thanks! 👍

@hecrj
Copy link

hecrj commented Jan 26, 2022

Could we get a 0.20.3 release? Exact same situation applies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@asomers @hecrj @rtzoeller @TethysSvensson