mNo edit summary |
(adding tracker bug) |
||
Line 34: | Line 34: | ||
* [https://discussion.fedoraproject.org/t/f42-change-proposal-retire-zbus-v1f/134265 Discussion thread] | * [https://discussion.fedoraproject.org/t/f42-change-proposal-retire-zbus-v1f/134265 Discussion thread] | ||
* FESCo issue: [https://pagure.io/fesco/issue/3287 #3287] | * FESCo issue: [https://pagure.io/fesco/issue/3287 #3287] | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2325879 #2325879] | ||
* Release notes tracker: <will be assigned by the Wrangler> | * Release notes tracker: <will be assigned by the Wrangler> | ||
Latest revision as of 10:20, 13 November 2024
Retire zbus v1
Summary
The packages for v1 of the zbus crate (and the packages for v2 of the zvariant crate) will be retired from Fedora 42. Dependent packages are to be ported to a non-obsolete version of these libraries (i.e. zbus v4 or v5) or to be retired as well.
Owner
- Name: Fabio Valentini for the Rust SIG
- Email: decathorpe@gmail.com
- Email: rust@lists.fedoraproject.org
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-11-13
- Announced
- Discussion thread
- FESCo issue: #3287
- Tracker bug: #2325879
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Fedora includes packages for different versions of the zbus crate. The packages for zbus v3 were recently retired from Fedora 42 since the last package that used this version was ported to v4. However, there are still a few packages left that depend on the long-obsolete zbus v1, and tickets have been filed (or did already exist) about updating the zbus dependency:
nmstate
- https://github.com/nmstate/nmstate/issues/2803rust-libslirp
- https://gitlab.freedesktop.org/slirp/libslirp-rs/-/issues/5squeekboard
- https://gitlab.gnome.org/World/Phosh/squeekboard/-/issues/378
We cannot continue to maintain packages for obsolete versions of the zbus and zvariant crates indefinitely. These packages in turn pull in dependencies that are increasingly outdated compared to other packages in Fedora, including a lot of compat packages for older alternative versions of existing Rust packages:
rust-async-io
v1 compat package (current: v2)rust-async-lock
v2 compat package (current: v3)rust-bitflags
v1 compat package (current: v2)rust-enumflags2
v0.6 compat package (current: v0.7)rust-enumflags_derive2
v0.6 compat package (current: v0.7)rust-event-listener
v2 compat package (current: v5)rust-futures-lite
v1 compat package (current: v2)rust-io-lifetimes
v1 compat package (current: v2)rust-linux-raw-sys
v0.3 compat package (current: v0.6)rust-memoffset
v0.6 compat package (current: v0.9)rust-nix
v0.22 compat package (current: v0.29)rust-polling
v2 compat package (current: v3)rust-proc-macro-crate
v0.1 compat package (current: v3)rust-proc-macro-crate
v1 compat package (current: v3)rust-rustix
v0.37 compat package (current: v0.38)rust-socket2
v0.4 compat package (current: v0.5)rust-syn
v1 compat package (current: v2)rust-toml
v0.5 compat package (current: v0.8)rust-toml_edit
v0.19 compat package (current: v0.22)rust-winnow
v0.5 (current: 0.6)
And in turn, these compat packages pull in even more old and / or obsolete packages.
Additionally, versions of zbus / zvariant before zbus v3.14 / zvariant 3.15 have known bugs on 32-bit systems and test failures on big-endian systems: https://github.com/dbus2/zbus/pull/362
Feedback
Benefit to Fedora
Implementing this change will allow the Rust SIG to drop potentially dozens of obsolete libraries and / or old compat packages from the distribution. Making the dependency graph less "dense" makes maintenance work easier due to fewer inter-dependencies that need to be taken into account when pushing library updates.
Additionally, packages for old versions of crates often require ongoing maintenance due to new rustc compiler errors, or require fixes for compatibility with new versions of cargo. As a result, dropping old packages frees up time that package maintainers could spend on more useful work. Dropping obsolete packages from the distribution also has indirect benefits, like reduced load on Fedora infrastructure (koschei CI, mass rebuilds, etc.).
While none of the packages included in the list above are listed as "vulnerable" in the RUSTSEC database, this database is not exhaustive, and many packages in this list contain "unsafe" code that could contain soundness problems that were just not submitted to RUSTSEC for classification.
Scope
- Proposal owners:
Retire rust-zbus1
, rust-zbus_macros1
, rust-zvariant2
, rust-zvariant_derive2
from Fedora Rawhide / Fedora 42, at the latest before the start of the Final Freeze for Fedora 42.
- Other developers:
Port packages that depend on zbus v1 to zbus >= v4, work with upstream projects to do the same, or retire dependent packages.
Porting from zbus v1 to newer versions requires some code changes to to API changes in zbus >= v2, which might or might not be trivial. For example, this is the PR for system-76-keyboard-configurator to port it from zbus v1 to v3 (with fewer required changes between zbus v3 and v4): https://github.com/pop-os/keyboard-configurator/pull/221
- Release engineering:
N/A (just ensure that retired packages are removed from repositories / blocked in koji correctly, but this is already covered by normal Release Engineering processes)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Dropping obsolete packages makes it easier for new contributors to start working on the Rust stack in Fedora.
Upgrade/compatibility impact
Rust library packages are not intended to be installed on end-user systems, and are almost exclusively installed in ephemeral build environments (i.e. mock chroots).
If any of the dependent packages (nmstate
, rust-libslirp
, squeekboard
) is retired, they can be added to fedora-obsolete-packages. But since Rust crates are statically linked and are not a dependency for built packages, this is not strictly necessary.
How To Test
None of the packages built from the following sources packages should be available for installation on Fedora 42:
- rust-zbus1 (
rust-zbus1-devel
,rust-zbus1+*-devel
) - rust-zbus_macros1 (
rust-zbus_macros1-devel
,rust-zbus_macros1+*-devel
) - rust-zvariant2 (
rust-zvariant2-devel
,rust-zvariant2+*-devel
) - rust-zvariant_derive2 (
rust-zvariant_derive2-devel
,rust-zvariant_derive2+*-devel
)
User Experience
If any dependent package cannot be ported to zbus v1 in time for Fedora 42, it will be retired from Fedora 42+. Due to the statically linked nature of programs written in Rust, previously built versions of these packages will continue to work, they will only fail to build on Fedora 42+ until ported to newer zbus versions.
Dependencies
There are three applications that currently depend on zbus v1:
- nmstate
- libslirp-helper (from rust-libslirp) - apparently obsoleted by passt?
- squeekboard
They will need to be ported to a newer version of zbus (ideally, zbus v4, which is what is currently shipped by Fedora, though zbus v5 has already been released as of October 18, 2024).
Contingency Plan
- Contingency mechanism: packages for zbus v1 and zvariant v2 will not be retired (or will be un-retired if already retired)
- Contingency deadline: Final Freeze
- Blocks release? No
Documentation
- zbus / zvariant release notes on GitHub: https://github.com/dbus2/zbus/releases
Release Notes
N/A (not a user-facing change)