[bug#32834] [PATCH] gnu: icecat: Build with rust-1.24.

[Joe Hillenbrand]

Rust 1.24.0 suffers from this CVE
https://www.cvedetails.com/cve/CVE-2018-1000622/

But I don't think it's relevant to building Firefox since it only
effects rustdoc plugins.
On Tue, Oct 2, 2018 at 2:47 AM Nils Gillmann <address@hidden> wrote:
>
> Ludovic Courtès transcribed 1.2K bytes:
> > Nils Gillmann <address@hidden> skribis:
> >
> > > Efraim Flashner transcribed 782 bytes:
> > >>
> > >>
> > >> On September 29, 2018 9:55:36 PM UTC, address@hidden wrote:
> > >> >Hi Efraim,
> > >> >
> > >> >Efraim Flashner <address@hidden> skribis:
> > >> >
> > >> >> * gnu/packages/gnuzilla.scm (icecat)[native-inputs]: Use the oldest
> > >> >> compatable rust over newer releases when building icecat.
> > >> >
> > >> >[...]
> > >> >
> > >> >> +      ;; Icecat 60 checkes for rust>=1.24
> > >> >> +     `(("rust" ,rust-1.24)
> > >> >> +       ("cargo" ,rust-1.24 "cargo")
> > >> >
> > >> >I suppose the goal is to reduce the build chain, right?
> > >>
> > >> Right. Currently each round of rust takes about 12 hours on my fast 
> > >> aarch64 board. This built successfully on aarch64 and ng0 was able to 
> > >> build and test it on x86_64.
> > >
> > > It is convenient (less than 36 hours build, build only one version of
> > > rust), but I have to second the doubt about CVEs.
> > > Mark, have you considered asking Mozilla about their recommended
> > > strategy wrt chosing the right rust for a Firefox-based browser
> > > building and implications of using an older rust for crates already
> > > in Firefox?
> >
> > I suspect Mozilla is not paying attention to bootstrapping issues the
> > way we do, so they’d probably recommend just using the latest Rust
> > version.
> >
> > Ludo’.
>
> Turns out they have it documented: 
> https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox
> for 60:
> Firefox Version Requires        Rust release date       Firefox release date
> Firefox 60      Rust 1.24.0     2018 February 15        2018 May 9
>
>
>