(fix) Bump remove_dir_all to 0.8.2

[barathrm]

Old version has a listed security vuln.

Fixes

Crate:     remove_dir_all
Version:   0.6.1
Title:     Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date:      2023-02-24
ID:        RUSTSEC-2023-0018
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution:  Upgrade to >=0.8.0
Dependency tree:
remove_dir_all 0.6.1
└── etebase 0.5.3

[Xiretza]

Looks like remove_dir_all doesn't really follow semver, there were no breaking changes between 0.6.1 and 0.8.0 that I can find. So a pure bump without changing any code should be fine.

[tasn]

CI is failing.

[barathrm]

Cargo build succeeded locally, but the test fails with not finding version 0.8.0 of remove_dir_all. Trying with 0.8.2.

[tasn]

I think you have a typo? You added a v

[barathrm]

Yep, fixed 🤦

[tasn]

Still failing. :|

[barathrm]

Still failing. :|

Hm. Seems like the part that's failing is the test running cargo with rust nightly and -Z minimal-versions. I can look into why that might fail (a quick read of the docs (?) doesn't really help me), but if someone knows that'd be a nice short-cut. xD

[tasn]

There are also unrelated clippy errors (I guess because we are using a new enough clippy) which will just be fixed with clippy --fix ,but probably deserve a new PR. Would be great if you could do that too, though otherwise I can quickly do it myself. LMK.

[barathrm]

Running the nightly toolchain locally with cargo generate-lockfile -Z minimal-versions ¹ works fine for me. A bit of googling indicates that this kind of thing might happen if cargo uses a cache to look up dependencies?

¹ edit: followed by cargo test --no-fail-fast -- --test-threads=1

[barathrm]

There are also unrelated clippy errors (I guess because we are using a new enough clippy) which will just be fixed with clippy --fix ,but probably deserve a new PR. Would be great if you could do that too, though otherwise I can quickly do it myself. LMK.

Attempt here #43

[Xiretza]

Nightly is only used to generate the minimal-versions lockfile, the tests themselves run with the Minimum Supported Rust Version (1.56). Maybe remove_dir_all 0.8.0 requires a newer MSRV?

[tasn]

@barathrm, I merged your other PR, please rebase this on top of that so clippy is fixed. :)

[tasn]

I think @Xiretza is right. We can update the min rust version for all I care. I didn't even remember we set one.

[barathrm]

Nightly is only used to generate the minimal-versions lockfile, the tests themselves run with the Minimum Supported Rust Version (1.56). Maybe remove_dir_all 0.8.0 requires a newer MSRV?

You're right, I can reproduce the issue locally by manually using 1.56.0. Gonna try bumping to something newer.

[barathrm]

Not sure why the minimal versions workflow fails on openssl now... can't reproduce that locally, and the docker does have libssl-dev installed.

[tasn]

No idea. :|

[Xiretza]

Wild guess: the container image has updated/changed at some point and now contains an incompatible openssl version?

[barathrm]

Wild guess: the container image has updated/changed at some point and now contains an incompatible openssl version?

Hm, maybe. Or the versions selected by rust nightly's -Z minimal-versions aren't compatible with the docker's openssl?

Seems like the workflow uses ubuntu-latest, which I assume is the default github ubuntu latest docker.

[Xiretza]

Hm, maybe. Or the versions selected by rust nightly's -Z minimal-versions aren't compatible with the docker's openssl?

Those shouldn't have changed since the last time CI ran (successfully).

Seems like the workflow uses ubuntu-latest, which I assume is the default github ubuntu latest docker.

It's probably that then - ubuntu-latest always points at the latest release, which can and will change. Looks like it updated to openssl 3.x, which isn't supported by openssl-sys 0.9.55: https://stackoverflow.com/questions/67346713/wsl-ubuntu-cargo-rust-openssl-environment-variables-not-set

[tasn]

Should we just bump openssl-sys?

[barathrm]

Well then. bumped openssl-sys, openssl and cc. Had to bump cc to be able to build the newer openssl-sys, as mentioned in the commit msg. Tests pass.