From Fedora Project Wiki
(initial draft)
 
m (minor clarifications)
Line 90: Line 90:
* Proposal owners:
* Proposal owners:


Retire `rust-zbus1`, `rust-zbus_macros1`, `rust-zvariant2`, `rust-zvariant_derive2` from Fedora Rawhide / 42 before the start of the Fedora 42 Final Freeze.
Retire `rust-zbus1`, `rust-zbus_macros1`, `rust-zvariant2`, `rust-zvariant_derive2` from Fedora Rawhide / Fedora 42, at the latest before the start of the Final Freeze for Fedora 42.


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers:


Port packages that depend on zbus v1 to zbus >= v4, work with upstream projects to do the same, or retire dependent packages.
Port packages that depend on zbus v1 to zbus >= v4, work with upstream projects to do the same, or retire dependent packages.

Revision as of 16:42, 18 October 2024

Retire zbus v1

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

The packages for v1 of the zbus crate (and the packages for v2 of the zvariant crate) will be retired from Fedora 42. Dependent packages are to be ported to a non-obsolete version of these libraries (i.e. zbus v4 or v5) or to be retired as well.

Owner

  • Name: Fabio Valentini for the Rust SIG
  • Email: decathorpe@gmail.com
  • Email: rust@lists.fedoraproject.org

Current status

  • Targeted release: Fedora Linux 42
  • Last updated: 2024-10-18
  • [Announced]
  • [<will be assigned by the Wrangler> Discussion thread]
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Fedora includes packages for different versions of the zbus crate. The packages for zbus v3 were recently retired from Fedora 42 since the last package that used this version was ported to v4. However, there are still a few packages left that depend on the long-obsolete zbus v1:

  • nmstate
  • rust-libslirp
  • squeekboard

We cannot continue to maintain packages for obsolete versions of the zbus and zvariant crates indefinitely. These packages in turn pull in dependencies that are increasingly outdated compared to other packages in Fedora, including a lot of compat packages for older alternative versions of existing Rust packages:

  • rust-async-io v1 compat package (current: v2)
  • rust-async-lock v2 compat package (current: v3)
  • rust-bitflags v1 compat package (current: v2)
  • rust-enumflags2 v0.6 compat package (current: v0.7)
  • rust-enumflags_derive2 v0.6 compat package (current: v0.7)
  • rust-event-listener v2 compat package (current: v5)
  • rust-futures-lite v1 compat package (current: v2)
  • rust-io-lifetimes v1 compat package (current: v2)
  • rust-linux-raw-sys v0.3 compat package (current: v0.6)
  • rust-memoffset v0.6 compat package (current: v0.9)
  • rust-nix v0.22 compat package (current: v0.29)
  • rust-polling v2 compat package (current: v3)
  • rust-proc-macro-crate v0.1 compat package (current: v3)
  • rust-proc-macro-crate v1 compat package (current: v3)
  • rust-rustix v0.37 compat package (current: v0.38)
  • rust-socket2 v0.4 compat package (current: v0.5)
  • rust-syn v1 compat package (current: v2)
  • rust-toml v0.5 compat package (current: v0.8)
  • rust-toml_edit v0.19 compat package (current: v0.22)
  • rust-winnow v0.5 (current: 0.6)

And in turn, these compat packages pull in even more old and / or obsolete packages.

Additionally, versions of zbus / zvariant before zbus v3.14 / zvariant 3.15 have known bugs on 32-bit systems and test failures on big-endian systems: https://github.com/dbus2/zbus/pull/362

Feedback

Benefit to Fedora

Implementing this change will allow the Rust SIG to drop potentially dozens of obsolete libraries and / or old compat packages from the distribution. Making the dependency graph less "dense" makes maintenance work easier due to fewer inter-dependencies that need to be taken into account when pushing library updates.

Additionally, packages for old versions of crates often require ongoing maintenance due to new rustc compiler errors, or require fixes for compatibility with new versions of cargo. As a result, dropping old packages frees up time that package maintainers could spend on more useful work. Dropping obsolete packages from the distribution also has indirect benefits, like reduced load on Fedora infrastructure (koschei CI, mass rebuilds, etc.).

While none of the packages included in the list above are listed as "vulnerable" in the RUSTSEC database, this database is not exhaustive, and many packages in this list contain "unsafe" code that could contain soundness problems that were just not submitted to RUSTSEC for classification.

Scope

  • Proposal owners:

Retire rust-zbus1, rust-zbus_macros1, rust-zvariant2, rust-zvariant_derive2 from Fedora Rawhide / Fedora 42, at the latest before the start of the Final Freeze for Fedora 42.

  • Other developers:

Port packages that depend on zbus v1 to zbus >= v4, work with upstream projects to do the same, or retire dependent packages.

Porting from zbus v1 to newer versions requires some code changes to to API changes in zbus >= v2, which might or might not be trivial. For example, this is the PR for system-76-keyboard-configurator to port it from zbus v1 to v3 (with fewer required changes between zbus v3 and v4): https://github.com/pop-os/keyboard-configurator/pull/221

  • Release engineering:

N/A (just ensure that retired packages are removed from repositories / blocked in koji correctly, but this is already covered by normal Release Engineering processes)

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy:

Dropping obsolete packages makes it easier for new contributors to start working on the Rust stack in Fedora.

Upgrade/compatibility impact

Rust library packages are not intended to be installed on end-user systems, and are almost exclusively installed in ephemeral build environments (i.e. mock chroots).

If any of the dependent packages (nmstate, rust-libslirp, squeekboard) is retired, they can be added to fedora-obsolete-packages. But since Rust crates are statically linked and are not a dependency for built packages, this is not strictly necessary.

How To Test

None of the packages built from the following sources packages should be available for installation on Fedora 42:

  • rust-zbus1 (rust-zbus1-devel, rust-zbus1+*-devel)
  • rust-zbus_macros1 (rust-zbus_macros1-devel, rust-zbus_macros1+*-devel)
  • rust-zvariant2 (rust-zvariant2-devel, rust-zvariant2+*-devel)
  • rust-zvariant_derive2 (rust-zvariant_derive2-devel, rust-zvariant_derive2+*-devel)

User Experience

N/A (not a user-facing change)

Dependencies

There are three applications that currently depend on zbus v1:

  • nmstate
  • libslirp-helper (from rust-libslirp) - apparently obsoleted by passt?
  • squeekboard

They will need to be ported to a newer version of zbus (ideally, zbus v4, which is what is currently shipped by Fedora, though zbus v5 has already been released as of October 18, 2024).

Contingency Plan

  • Contingency mechanism: packages for zbus v1 and zvariant v2 will not be retired (or will be un-retired if already retired)
  • Contingency deadline: Final Freeze
  • Blocks release? No

Documentation

Release Notes

N/A (not a user-facing change)