From 6e5b81935a0253d3565ded101f389297c7cbeb0e Mon Sep 17 00:00:00 2001 From: Danny McClanahan <1305167+cosmicexplorer@users.noreply.github.com> Date: Wed, 24 Apr 2019 11:33:24 -0700 Subject: [PATCH 1/4] test rustup init script fix --- build-support/bin/native/bootstrap_rust.sh | 27 ++++------------------ 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/build-support/bin/native/bootstrap_rust.sh b/build-support/bin/native/bootstrap_rust.sh index edf9c469636..9cebeaabbe9 100644 --- a/build-support/bin/native/bootstrap_rust.sh +++ b/build-support/bin/native/bootstrap_rust.sh @@ -17,29 +17,9 @@ function cargo_bin() { "${RUSTUP}" which cargo } -# TODO(7288): RustUp tries to use a more secure protocol to avoid downgrade attacks. This, however, -# broke support for Centos6 (https://github.com/rust-lang/rustup.rs/issues/1794). So, we first try -# to use their recommend install, and downgrade to their workaround if necessary. -function curl_rustup_init_script_while_maybe_downgrading() { - if ! curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs; then - log "Initial 'curl' command failed, trying backup url..." - case "$(uname)" in - Darwin) - host_triple='x86_64-apple-darwin' - ;; - Linux) - host_triple='x86_64-unknown-linux-gnu' - ;; - *) - die "unrecognized platform $(uname) -- could not bootstrap rustup!" - ;; - esac - full_rustup_backup_url="https://static.rust-lang.org/rustup/dist/${host_triple}/rustup-init" - curl -sSf "$full_rustup_backup_url" - fi -} - function bootstrap_rust() { + set -x + RUST_TOOLCHAIN="$(cat ${REPO_ROOT}/rust-toolchain)" RUST_COMPONENTS=( "rustfmt-preview" @@ -57,7 +37,8 @@ function bootstrap_rust() { # with "info: caused by: No such file or directory (os error 2)". local -r rustup_init_destination="${rustup_tmp_dir}/rustup-init" # NB: rustup installs itself into CARGO_HOME, but fetches toolchains into RUSTUP_HOME. - curl_rustup_init_script_while_maybe_downgrading > "$rustup_init_destination" + curl -sSf 'https://raw.githubusercontent.com/rust-lang/rustup.rs/615ed4e265c702cdc2ad025e944a92d8068abde2/rustup-init.sh' \ + > "$rustup_init_destination" chmod +x "$rustup_init_destination" "$rustup_init_destination" -y --no-modify-path --default-toolchain none 1>&2 fi From 6b765bbfdaedd1464e8450f0e95886c156bea2f2 Mon Sep 17 00:00:00 2001 From: Danny McClanahan <1305167+cosmicexplorer@users.noreply.github.com> Date: Thu, 25 Apr 2019 10:50:49 -0700 Subject: [PATCH 2/4] simplify rustup init after upstream fix --- build-support/bin/native/bootstrap_rust.sh | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/build-support/bin/native/bootstrap_rust.sh b/build-support/bin/native/bootstrap_rust.sh index 9cebeaabbe9..d38751a9b07 100644 --- a/build-support/bin/native/bootstrap_rust.sh +++ b/build-support/bin/native/bootstrap_rust.sh @@ -18,8 +18,6 @@ function cargo_bin() { } function bootstrap_rust() { - set -x - RUST_TOOLCHAIN="$(cat ${REPO_ROOT}/rust-toolchain)" RUST_COMPONENTS=( "rustfmt-preview" @@ -29,18 +27,12 @@ function bootstrap_rust() { # Control a pants-specific rust toolchain. if [[ ! -x "${RUSTUP}" ]]; then + # NB: rustup installs itself into CARGO_HOME, but fetches toolchains into RUSTUP_HOME. log "A pants owned rustup installation could not be found, installing via the instructions at" \ "https://www.rustup.rs ..." - local -r rustup_tmp_dir="$(mktemp -d)" - trap "rm -rf ${rustup_tmp_dir}" EXIT - # NB: The downloaded file here *must* be named `rustup-init`, or the workaround binary fails - # with "info: caused by: No such file or directory (os error 2)". - local -r rustup_init_destination="${rustup_tmp_dir}/rustup-init" - # NB: rustup installs itself into CARGO_HOME, but fetches toolchains into RUSTUP_HOME. - curl -sSf 'https://raw.githubusercontent.com/rust-lang/rustup.rs/615ed4e265c702cdc2ad025e944a92d8068abde2/rustup-init.sh' \ - > "$rustup_init_destination" - chmod +x "$rustup_init_destination" - "$rustup_init_destination" -y --no-modify-path --default-toolchain none 1>&2 + # This is the recommended installation method for Unix when '--proto' is not available on curl + # (as in CentOS6), see # https://github.com/rust-lang/rustup.rs#other-installation-methods. + curl https://sh.rustup.rs -sSf | sh -s -- -y --no-modify-path --default-toolchain none 1>&2 fi local -r cargo="${CARGO_HOME}/bin/cargo" From 4fc5222f5f0d549f9af4ae922ebafbc651f757c9 Mon Sep 17 00:00:00 2001 From: Danny McClanahan <1305167+cosmicexplorer@users.noreply.github.com> Date: Sat, 27 Apr 2019 09:57:12 -0700 Subject: [PATCH 3/4] add more context about --proto workaround --- build-support/bin/native/bootstrap_rust.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/build-support/bin/native/bootstrap_rust.sh b/build-support/bin/native/bootstrap_rust.sh index d38751a9b07..4227654f2d1 100644 --- a/build-support/bin/native/bootstrap_rust.sh +++ b/build-support/bin/native/bootstrap_rust.sh @@ -32,6 +32,7 @@ function bootstrap_rust() { "https://www.rustup.rs ..." # This is the recommended installation method for Unix when '--proto' is not available on curl # (as in CentOS6), see # https://github.com/rust-lang/rustup.rs#other-installation-methods. + # The workaround was added in https://github.com/rust-lang/rustup.rs/pull/1803. curl https://sh.rustup.rs -sSf | sh -s -- -y --no-modify-path --default-toolchain none 1>&2 fi From d2b3ce1500ec949f83926d12ac7ee23926b8872e Mon Sep 17 00:00:00 2001 From: Danny McClanahan <1305167+cosmicexplorer@users.noreply.github.com> Date: Sat, 27 Apr 2019 19:12:07 -0700 Subject: [PATCH 4/4] add TODO to use more secure version of rustup after migration to centos7 --- build-support/bin/native/bootstrap_rust.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build-support/bin/native/bootstrap_rust.sh b/build-support/bin/native/bootstrap_rust.sh index 4227654f2d1..7fbe66c8969 100644 --- a/build-support/bin/native/bootstrap_rust.sh +++ b/build-support/bin/native/bootstrap_rust.sh @@ -33,6 +33,8 @@ function bootstrap_rust() { # This is the recommended installation method for Unix when '--proto' is not available on curl # (as in CentOS6), see # https://github.com/rust-lang/rustup.rs#other-installation-methods. # The workaround was added in https://github.com/rust-lang/rustup.rs/pull/1803. + # TODO(7288): Once we migrate to Centos7, we can go back to using RustUp's preferred and more + # secure installation method. Convert this to the snippet from https://rustup.rs. curl https://sh.rustup.rs -sSf | sh -s -- -y --no-modify-path --default-toolchain none 1>&2 fi