azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

rust: Upgrade to 1.90.0

Open KavyaSree2610 opened this issue 3 months ago • 5 comments

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • [x] The toolchain has been rebuilt successfully (or no changes were made to it)
  • [x] The toolchain/worker package manifests are up-to-date
  • [x] Any updated packages successfully build (or no packages were changed)
  • [x] Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • [x] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • [x] All package sources are available
  • [x] cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • [x] LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • [x] All source files have up-to-date hashes in the *.signatures.json files
  • [x] sudo make go-tidy-all and sudo make go-test-coverage pass
  • [x] Documentation has been updated to match any changes to the build system
  • [ ] Ready to merge
Summary
  • Upgrades Rust from 1.86.0 to 1.90.0
  • Updates all Rust-dependent packages to ensure compatibility with the new toolchain
  • Kata Containers Compatibility Patch (0001_warning.patch) A new patch has been introduced to resolve compilation warnings in kata-containers and kata-containers-cc that emerged with Rust 1.90.0. This patch is necessary because the kata-containers spec file requires rust >= 1.85.0, and newer Rust versions (1.88+) have stricter compiler warnings and linting rules.

Specific Fixes in the Patch:

  1. Dead Code Warning Suppression for s390x CCW Device Handlers Adds #[allow(dead_code)] annotations to Channel Command Word (CCW) device handler structs Root Cause: These CCW device handlers are implemented for s390x architecture support, but since kata-containers is built exclusively for x86_64 (as specified in the spec file), these structs are defined but never actually used

  2. Explicit Lifetime Annotation for Iterator Updates iterator lifetime annotations from elided lifetimes to explicit '_ (anonymous lifetime) Root Cause: Rust 1.88+ enforces more explicit lifetime annotations for iterators to improve code clarity and prevent potential lifetime-related bugs

What does the PR accomplish, why was it needed?

  • Upgrade rust to 1.90.0
Change Log
  • Bump release for all the dependent packages
  • Update cgmanifest and signatures for new rust
  • Suppress dead_code warnings for architecture-specific CCW handlers and fix lifetime elision warning in U32Set iterator implementation in katacontainers/kata-containers-cc
  • Add a patch to 389-ds-base to fix lifetime elision warning
Does this affect the toolchain?

NO

Associated issues
  • https://microsoft.visualstudio.com/OS/_workitems/edit/58943486
Links to CVEs
  • https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXX
Test Methodology
  • Buddy Build(SPECS): https://dev.azure.com/mariner-org/mariner/_build/results?buildId=972270&view=results
  • Buddy Build(SPECS-EXTENDED): https://dev.azure.com/mariner-org/mariner/_build/results?buildId=972436&view=results (Ptests failing in rust-cbindgen and python-argcomplete is a known issue)
  • Full build id: 3.0.20251030-kkaitepalli-967858

KavyaSree2610 avatar Oct 07 '25 06:10 KavyaSree2610

⚠️ PR Check Passed with Warnings

Found 7 warning(s) that should be reviewed.

🤖 AI Analysis Summary:

Brief Analysis:
This PR updates the Rust package version from 1.86.0 to 1.88.0 and bumps the stage0 compiler to 1.87.0 while revising the patch order. However, a discrepancy between spec patch references and the changelog has been detected.

Critical Issues Found:
• ERROR: The changelog still mentions a patch for CVE-2025-4574 although the current spec no longer references it.

Recommended Actions:
• Either reintroduce the CVE-2025-4574.patch into the spec (if still needed) or update the changelog to remove the obsolete reference.
• Clean up the patch files in the directory to avoid maintaining unused patches.
• Verify that all version bumps are security-audited and documented.

📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.

CBL-Mariner-Bot avatar Oct 07 '25 06:10 CBL-Mariner-Bot

⚠️ PR Check Passed with Warnings

Found 7 warning(s) that should be reviewed.

🤖 AI Analysis Summary:

Brief Analysis:
This update bumps the Rust package from 1.86.0 to 1.88.0 (and stage0 from 1.85.0 to 1.87.0) and refreshes source signatures accordingly. The security patches for CVE-2025-53605 and CVE-2024-11738 remain listed, while the previously referenced CVE-2025-4574 patch has been removed from the Patch directives even though its fix is still noted in the changelog.

Critical Issues Found:
• Removed CVE-2025-4574 patch reference in the spec versus its appearance in the changelog (potential inconsistency).

Recommended Actions:
• Confirm that the upstream 1.88.0 release includes the fix for CVE-2025-4574 and update the changelog or remove legacy entries accordingly.
• Clean up any now-unused patch files, if appropriate.
• Double-check patch numbering and application (via %autosetup) for consistency.

📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.

CBL-Mariner-Bot avatar Oct 07 '25 08:10 CBL-Mariner-Bot

⚠️ PR Check Passed with Warnings

Found 7 warning(s) that should be reviewed.

🤖 AI Analysis Summary:

Brief Analysis:
This update bumps the Rust package from 1.86.0 to 1.88.0 and updates several source signatures and stage0 versions. However, there is an inconsistency between the patch list and the changelog regarding CVE-2025-4574.

Critical Issues Found:
• ERROR: The changelog still references “Patch CVE-2025-4574” (from Jun 13 2025) even though the spec patch list now omits it.

Recommended Actions:
• Reconcile the patch references by either reintroducing CVE-2025-4574 in the spec (e.g. as Patch2) or updating the changelog to remove its mention.
• Verify that all patches are applied (via %autosetup/%patch macros) and their numbering remains sequential.
• Confirm that upstream CVE details and patch attributions are clearly documented in the changelog.

📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.

CBL-Mariner-Bot avatar Oct 13 '25 05:10 CBL-Mariner-Bot

⚠️ PR Check Passed with Warnings

Found 6 warning(s) that should be reviewed.

🤖 AI Analysis Summary:

Brief Analysis:
This PR updates the Rust package from version 1.86.0 to 1.88.0, updates the stage0_version from 1.85.0 to 1.87.0, and removes the now-unreferenced CVE‑2025‑4574 patch. The changes appear to streamline the CVE patch application with sequential, valid patch listings.

Critical Issues Found:
• No critical security issues detected.

Recommended Actions:
• Remove any leftover CVE‑2025‑4574_1.75.patch from the directory to avoid confusion.
• Confirm that upstream fixes for CVE‑2025‑4574 justify its removal and that changelog documentation clearly reflects this decision.
• Verify patch application via %autosetup is functioning as expected with the remaining CVE‑2025‑53605.patch and CVE‑2024‑11738.patch.

📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.

CBL-Mariner-Bot avatar Oct 13 '25 05:10 CBL-Mariner-Bot

The failing github PR checks are unrelated to this PR Full build successful, fullbuild id: 3.0.20251022-kkaitepalli-960899

KavyaSree2610 avatar Oct 15 '25 10:10 KavyaSree2610