Bug#1101417: pydantic-core - upcoming rust-idna update

Peter Green Thu, 27 Mar 2025 01:45:17 -0700

Package: pydantic-core
version: 2.27.2-1

I hope to update rust-idna soon to version 1.0.3 to fix CVE-2024-12224,
the Debian build-dependencies for your package allow the new version
but the Cargo dependency does not.


After relaxing the cargo dependency, I ran into some test failures,
I think these are just oversensitive tests, but any feedback would
be appreciated.

An example of one of the errors is

> E           AssertionError: Regex pattern did not match.
> E            Regex: 'Input\\ should\\ be\\ a\\ valid\\ URL,\\ invalid\\ 
domain\\ character\\ \\[type=url_parsing,'
> E            Input: "1 validation error for url\n  Input should be a valid URL, 
invalid international domain name [type=url_parsing, input_valu                              
                                      e='http://127.0.0.1%0d%0aConnection%3a%20keep-alive', 
input_type=str]\n    For further information visit 
https://errors.pydantic.dev/latest/v/url_parsing";

The new versions of rust-idna and rust-url have been uploaded to
experimental.

diff -Nru pydantic-core-2.27.2/debian/cargo_home/config.toml 
pydantic-core-2.27.2/debian/cargo_home/config.toml
--- pydantic-core-2.27.2/debian/cargo_home/config.toml  2024-12-18 
23:11:09.000000000 +0000
+++ pydantic-core-2.27.2/debian/cargo_home/config.toml  2025-03-27 
08:17:41.000000000 +0000
@@ -1,8 +1,11 @@
-[source]
+[source.crates-io]
+replace-with = "dh-cargo-registry"
 
-[source.debian]
-directory = "/usr/share/cargo/registry/"
+[source.dh-cargo-registry]
+directory = "/pydantic-core-2.27.2/debian/cargo_registry"
 
-[source.crates-io]
-replace-with = "debian"
+[build]
+rustflags = ['-C', 'debuginfo=2', '-C', 'strip=none', '--cap-lints', 'warn', 
'-C', 'linker=x86_64-linux-gnu-gcc', '-C', 'link-arg=-Wl,-z,relro', '-C', 
'link-arg=-Wl,-z,now', '--remap-path-prefix', 
'/pydantic-core-2.27.2=/usr/share/cargo/registry/pydantic-core-2.27.2', 
'--remap-path-prefix', 
'/pydantic-core-2.27.2/debian/cargo_registry=/usr/share/cargo/registry']
 
+[profile.release]
+debug = true
diff -Nru pydantic-core-2.27.2/debian/changelog 
pydantic-core-2.27.2/debian/changelog
--- pydantic-core-2.27.2/debian/changelog       2024-12-18 23:11:09.000000000 
+0000
+++ pydantic-core-2.27.2/debian/changelog       2025-03-27 08:23:30.000000000 
+0000
@@ -1,3 +1,10 @@
+pydantic-core (2.27.2-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Relax cargo dependency on idna crate.
+
+ -- root <cjwat...@debian.org>  Thu, 27 Mar 2025 08:23:30 +0000
+
 pydantic-core (2.27.2-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru pydantic-core-2.27.2/debian/.gitignore 
pydantic-core-2.27.2/debian/.gitignore
--- pydantic-core-2.27.2/debian/.gitignore      2024-12-18 23:11:09.000000000 
+0000
+++ pydantic-core-2.27.2/debian/.gitignore      1970-01-01 00:00:00.000000000 
+0000
@@ -1,2 +0,0 @@
-/cargo_registry
-/files
diff -Nru 
pydantic-core-2.27.2/debian/patches/0001-Fudge-rust-crate-version-requirements.patch
 
pydantic-core-2.27.2/debian/patches/0001-Fudge-rust-crate-version-requirements.patch
--- 
pydantic-core-2.27.2/debian/patches/0001-Fudge-rust-crate-version-requirements.patch
        2024-12-18 23:11:09.000000000 +0000
+++ 
pydantic-core-2.27.2/debian/patches/0001-Fudge-rust-crate-version-requirements.patch
        2025-03-27 07:56:33.000000000 +0000
@@ -16,7 +16,7 @@
  url = "2.5.0"
  # idna is already required by url, added here to be explicit
 -idna = "1.0.2"
-+idna = "0.4.0"
++idna = ">= 0.4.0"
  base64 = "0.22.1"
  num-bigint = "0.4.6"
  python3-dll-a = "0.2.10"

Bug#1101417: pydantic-core - upcoming rust-idna update

Reply via email to