From ad9fdd835657672f241b64065f42084dfcc0783c Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Wed, 1 Apr 2026 13:18:26 +0200 Subject: [PATCH 1/8] debian/control: Bump build dependency on cargo to 1.91 Noble archives now include cargo-1.91. We should always try to use the latest available cargo version to avoid issues when updating our Rust dependencies. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 16a917b89b..b2b4af6925 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,7 @@ Build-Depends: debhelper-compat (= 13), dh-exec, dh-golang, dctrl-tools, - cargo (>= 1.82) | cargo-1.82, + cargo (>= 1.91) | cargo-1.91, # FIXME: We need cargo-vendor-filterer starting from plucky, but noble isn't ready yet # so workaround it, making it kind of optional, and requiring it only on versions after # noble (controlled via base-files version that matches the one in noble). From 0075452e45635adcfbc927acfdc6ecbad42fdc4c Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Wed, 1 Apr 2026 13:20:32 +0200 Subject: [PATCH 2/8] debian/rules: Use versioned cargo wrapper on Noble We hardcoded the path to the cargo executable to /usr/share/cargo/bin/cargo which is the wrapper shipped by the cargo package. On Noble, that's cargo 1.75. To build with the latest cargo version (currently cargo-1.91 on Noble) we have to use the cargo wrapper below /usr/lib/rust-$VERSION instead. --- debian/get-depends-cargo-bin-path.sh | 33 ++++++++++++++++++++++++++++ debian/rules | 19 ++++++++-------- debian/vendor-rust.sh | 6 +++-- 3 files changed, 47 insertions(+), 11 deletions(-) create mode 100755 debian/get-depends-cargo-bin-path.sh diff --git a/debian/get-depends-cargo-bin-path.sh b/debian/get-depends-cargo-bin-path.sh new file mode 100755 index 0000000000..5205129ae7 --- /dev/null +++ b/debian/get-depends-cargo-bin-path.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +set -eu + +debian_path=$(dirname "$0") +min_cargo_version=$(grep-dctrl -s Build-Depends -n - "${debian_path}"/control | \ + sed -n "s,.*\bcargo-\([0-9.]\+\)\b.*,\1,p") + +if [ -z "${min_cargo_version}" ]; then + echo >&2 "No cargo version specified in Build-Depends." + exit 1 +fi + +versioned_cargo="/usr/lib/rust-${min_cargo_version}/share/cargo/bin/cargo" +default_cargo="/usr/share/cargo/bin/cargo" +default_cargo_version=$(dpkg-query -W -f='${Version}' cargo 2>/dev/null || true) + +if [ -x "${default_cargo}" ] && \ + dpkg --compare-versions "${default_cargo_version}" ge "${min_cargo_version}" 2>/dev/null; then + echo >&2 "Using default cargo at ${default_cargo} (version ${default_cargo_version})" + dirname "${default_cargo}" + exit 0 +else + echo >&2 "Default cargo at ${default_cargo} does not meet the minimum version requirement of ${min_cargo_version} (found version '${default_cargo_version}')." +fi + +if [ ! -x "${versioned_cargo}" ]; then + echo >&2 "Versioned cargo at ${versioned_cargo} does not exist or is not executable." + exit 1 +fi + +echo >&2 "Using versioned cargo at ${versioned_cargo}" +dirname "${versioned_cargo}" diff --git a/debian/rules b/debian/rules index 0539b8f255..87405c62a5 100755 --- a/debian/rules +++ b/debian/rules @@ -21,9 +21,6 @@ export DH_GOLANG_INSTALL_ALL := 1 # as long as it matches the go.mod go stenza which is the language requirement. export GOTOOLCHAIN := local -# Use the debian cargo wrapper -export CARGO_PATH := /usr/share/cargo/bin/cargo - # Needed for Rust vendored sources tracking export CARGO_VENDOR_DIR := $(CURDIR)/vendor_rust @@ -50,10 +47,14 @@ export DH_GOLANG_BUILDPKG := \ $(AUTHD_GO_PACKAGE)/pam \ $(NULL) -# We add the required backported version to the $PATH so that if it exists, then -# we can use it. Otherwise we default to the go installed in original $PATH that -# always matches with the latest available go version in the archive. -export PATH := $(shell printenv PATH):$(shell ./debian/get-depends-go-bin-path.sh) +# Prepend the following paths to PATH: +# * The cargo wrapper. This will either be the path to the wrapper installed by +# dh-cargo, or the path to the wrapper installed by the cargo-$VERSION package. +# * The Go executable from the backported Go package. It's possible that no +# backported Go package is installed, because the golang-go package already +# satisfies the dependency. It's still fine to also add the path in that case, +# it will be ignored if it doesn't exist. +export PATH := $(shell ./debian/get-depends-cargo-bin-path.sh):$(shell ./debian/get-depends-go-bin-path.sh):$(shell printenv PATH) BUILDDIR := $(CURDIR)/obj-$(DEB_HOST_GNU_TYPE) @@ -89,7 +90,7 @@ override_dh_auto_configure: # TODO: Drop this when we won't care about noble anymore. if ! command -v cargo-vendor-filterer 2>/dev/null; then \ env DEB_CARGO_CRATE="$(DEB_SOURCE)_$(DEB_VERSION_UPSTREAM)" \ - $(CARGO_PATH) prepare-debian "$(CARGO_VENDOR_DIR)"; \ + cargo prepare-debian "$(CARGO_VENDOR_DIR)"; \ else \ echo "cargo version: $$(cargo --version)"; \ echo "cargo-vendor-filterer version: $$(cargo-vendor-filterer --version)"; \ @@ -105,7 +106,7 @@ override_dh_auto_build: DH_GOLANG_GO_GENERATE=1 dh_auto_build -- $(AUTHD_GO_PACKAGE)/pam # Build the NSS library - $(CARGO_PATH) build --release + cargo build --release # Build the daemon dh_auto_build -- $(AUTHD_GO_PACKAGE)/cmd/authd diff --git a/debian/vendor-rust.sh b/debian/vendor-rust.sh index 1fedf6e1d1..0d6275e9bd 100755 --- a/debian/vendor-rust.sh +++ b/debian/vendor-rust.sh @@ -13,10 +13,12 @@ if ! command -v cargo-vendor-filterer 2>/dev/null; then fi # Print the versions of cargo and cargo-vendor-filterer for debugging purposes. -echo "Using cargo version: $(${CARGO_PATH} --version)" +echo "PATH: $PATH" +echo "Using cargo: $(which cargo)" +echo "Using cargo version: $(cargo --version)" echo "Using cargo-vendor-filterer version: $(cargo-vendor-filterer --version)" # Some crates are shipped with .a files, which get removed by the helpers during the package build as a safety measure. # This results in cargo failing to compile, since the files (which are listed in the checksums) are not there anymore. # For those crates, we need to replace their checksum with a more general one that only lists the crate checksum, instead of each file. -${CARGO_PATH} vendor-filterer "${CARGO_VENDOR_DIR}" +cargo vendor-filterer "${CARGO_VENDOR_DIR}" From 5cc7e407cadf6c126257757755cf1bfa3238fdbf Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Wed, 1 Apr 2026 17:56:19 +0200 Subject: [PATCH 3/8] debian/rules: Add debug output Useful to debug the issue that the cargo wrapper executes the wrong cargo version --- debian/rules | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/rules b/debian/rules index 87405c62a5..4c6464e516 100755 --- a/debian/rules +++ b/debian/rules @@ -106,6 +106,8 @@ override_dh_auto_build: DH_GOLANG_GO_GENERATE=1 dh_auto_build -- $(AUTHD_GO_PACKAGE)/pam # Build the NSS library + echo "PATH: $(PATH)" + echo "Building NSS library with $$(which cargo) ($$(cargo --version))" cargo build --release # Build the daemon From 483fbd37c10592647d5a26cd2d0b3af2c3e6bf46 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Thu, 9 Apr 2026 09:34:52 +0200 Subject: [PATCH 4/8] WIP: Try using cargo 1.91 from ppa:maxgmr/lp2100266-2 --- .github/workflows/debian-build.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/debian-build.yaml b/.github/workflows/debian-build.yaml index 0f6cae8616..d1db48347f 100644 --- a/.github/workflows/debian-build.yaml +++ b/.github/workflows/debian-build.yaml @@ -173,7 +173,9 @@ jobs: docker-image: ubuntu:${{ inputs.ubuntu-version }} # Add the Go backports PPA if we're testing a Ubuntu release which # doesn't have the required Go version in main. - extra-apt-repositories: ${{ (inputs.ubuntu-version == 'noble' || inputs.ubuntu-version == 'questing') && 'ppa:ubuntu-enterprise-desktop/golang' || '' }} + extra-apt-repositories: | + ${{ (inputs.ubuntu-version == 'noble' || inputs.ubuntu-version == 'questing') && 'ppa:ubuntu-enterprise-desktop/golang' || '' }} + ${{ (inputs.ubuntu-version == 'noble' && 'ppa:maxgmr/lp2100266-2' || '') }} # Extra build dependencies: # - systemd-dev: Required to read compile time variables from systemd via pkg-config. extra-source-build-deps: | From 5c0426e5dd6e5c2acc60ce59509cabed2d498adc Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Thu, 9 Apr 2026 13:31:25 +0200 Subject: [PATCH 5/8] WIP: debian: Also prepend /usr/lib/rust-/bin to PATH We already prepended the path to the directory of the cargo wrapper (/usr/lib/rust-/share/cargo/bin/cargo) but that directory doesn't contain the rustc binary, so when the cargo wrapper called rustc, it found and used the one in /usr/bin/. WIP because we should rename the script. --- debian/get-depends-cargo-bin-path.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/debian/get-depends-cargo-bin-path.sh b/debian/get-depends-cargo-bin-path.sh index 5205129ae7..8034ffa40a 100755 --- a/debian/get-depends-cargo-bin-path.sh +++ b/debian/get-depends-cargo-bin-path.sh @@ -11,23 +11,24 @@ if [ -z "${min_cargo_version}" ]; then exit 1 fi -versioned_cargo="/usr/lib/rust-${min_cargo_version}/share/cargo/bin/cargo" -default_cargo="/usr/share/cargo/bin/cargo" +versioned_cargo_wrapper="/usr/lib/rust-${min_cargo_version}/share/cargo/bin/cargo" +versioned_bin_dir="/usr/lib/rust-${min_cargo_version}/bin" +default_cargo_wrapper="/usr/share/cargo/bin/cargo" default_cargo_version=$(dpkg-query -W -f='${Version}' cargo 2>/dev/null || true) -if [ -x "${default_cargo}" ] && \ +if [ -x "${default_cargo_wrapper}" ] && \ dpkg --compare-versions "${default_cargo_version}" ge "${min_cargo_version}" 2>/dev/null; then - echo >&2 "Using default cargo at ${default_cargo} (version ${default_cargo_version})" - dirname "${default_cargo}" + echo >&2 "Using default cargo at ${default_cargo_wrapper} (version ${default_cargo_version})" + dirname "${default_cargo_wrapper}" exit 0 else - echo >&2 "Default cargo at ${default_cargo} does not meet the minimum version requirement of ${min_cargo_version} (found version '${default_cargo_version}')." + echo >&2 "Default cargo at ${default_cargo_wrapper} does not meet the minimum version requirement of ${min_cargo_version} (found version '${default_cargo_version}')." fi -if [ ! -x "${versioned_cargo}" ]; then - echo >&2 "Versioned cargo at ${versioned_cargo} does not exist or is not executable." +if [ ! -x "${versioned_cargo_wrapper}" ]; then + echo >&2 "Versioned cargo at ${versioned_cargo_wrapper} does not exist or is not executable." exit 1 fi -echo >&2 "Using versioned cargo at ${versioned_cargo}" -dirname "${versioned_cargo}" +echo >&2 "Using versioned cargo at ${versioned_cargo_wrapper}" +echo "$(dirname "${versioned_cargo_wrapper}"):${versioned_bin_dir}" From 29095e3571e5a4040b955672c67f391e9906e029 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Thu, 9 Apr 2026 20:14:45 +0200 Subject: [PATCH 6/8] debian/get-depends-cargo-bin-path.sh: Ignore comments in debian/control --- debian/get-depends-cargo-bin-path.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/get-depends-cargo-bin-path.sh b/debian/get-depends-cargo-bin-path.sh index 8034ffa40a..fd6411622b 100755 --- a/debian/get-depends-cargo-bin-path.sh +++ b/debian/get-depends-cargo-bin-path.sh @@ -4,6 +4,7 @@ set -eu debian_path=$(dirname "$0") min_cargo_version=$(grep-dctrl -s Build-Depends -n - "${debian_path}"/control | \ + grep -v '^\s*#' | \ sed -n "s,.*\bcargo-\([0-9.]\+\)\b.*,\1,p") if [ -z "${min_cargo_version}" ]; then From 71ddd5d205bbe7805d0e015e1cce15944f5646dd Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Thu, 9 Apr 2026 23:37:34 +0200 Subject: [PATCH 7/8] Support multiple cargo versions in debian/control --- debian/get-depends-cargo-bin-path.sh | 44 ++++++++++++++++------------ 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/debian/get-depends-cargo-bin-path.sh b/debian/get-depends-cargo-bin-path.sh index fd6411622b..2270bcdbbf 100755 --- a/debian/get-depends-cargo-bin-path.sh +++ b/debian/get-depends-cargo-bin-path.sh @@ -3,33 +3,41 @@ set -eu debian_path=$(dirname "$0") -min_cargo_version=$(grep-dctrl -s Build-Depends -n - "${debian_path}"/control | \ +min_cargo_versions=$(grep-dctrl -s Build-Depends -n - "${debian_path}"/control | \ grep -v '^\s*#' | \ - sed -n "s,.*\bcargo-\([0-9.]\+\)\b.*,\1,p") + grep -oP '(?<=cargo-)[0-9.]+') -if [ -z "${min_cargo_version}" ]; then +if [ -z "${min_cargo_versions}" ]; then echo >&2 "No cargo version specified in Build-Depends." exit 1 fi -versioned_cargo_wrapper="/usr/lib/rust-${min_cargo_version}/share/cargo/bin/cargo" -versioned_bin_dir="/usr/lib/rust-${min_cargo_version}/bin" default_cargo_wrapper="/usr/share/cargo/bin/cargo" +default_cargo_wrapper_dir="${default_cargo_wrapper%/cargo}" default_cargo_version=$(dpkg-query -W -f='${Version}' cargo 2>/dev/null || true) -if [ -x "${default_cargo_wrapper}" ] && \ - dpkg --compare-versions "${default_cargo_version}" ge "${min_cargo_version}" 2>/dev/null; then - echo >&2 "Using default cargo at ${default_cargo_wrapper} (version ${default_cargo_version})" - dirname "${default_cargo_wrapper}" - exit 0 -else - echo >&2 "Default cargo at ${default_cargo_wrapper} does not meet the minimum version requirement of ${min_cargo_version} (found version '${default_cargo_version}')." -fi +for min_cargo_version in ${min_cargo_versions}; do + versioned_cargo_wrapper="/usr/lib/rust-${min_cargo_version}/share/cargo/bin/cargo" + versioned_cargo_wrapper_dir="${versioned_cargo_wrapper%/cargo}" + versioned_bin_dir="/usr/lib/rust-${min_cargo_version}/bin" + + if [ -x "${default_cargo_wrapper}" ] && \ + dpkg --compare-versions "${default_cargo_version}" ge "${min_cargo_version}" 2>/dev/null; then + echo >&2 "Using default cargo at ${default_cargo_wrapper} (version ${default_cargo_version})" + echo "${default_cargo_wrapper_dir}" + exit 0 + else + echo >&2 "Default cargo at ${default_cargo_wrapper} does not meet the minimum version requirement of ${min_cargo_version} (found version '${default_cargo_version}')." + fi + + if [ -x "${versioned_cargo_wrapper}" ]; then + echo >&2 "Using versioned cargo at ${versioned_cargo_wrapper}" + echo "${versioned_cargo_wrapper_dir}:${versioned_bin_dir}" + exit 0 + fi -if [ ! -x "${versioned_cargo_wrapper}" ]; then echo >&2 "Versioned cargo at ${versioned_cargo_wrapper} does not exist or is not executable." - exit 1 -fi +done -echo >&2 "Using versioned cargo at ${versioned_cargo_wrapper}" -echo "$(dirname "${versioned_cargo_wrapper}"):${versioned_bin_dir}" +echo >&2 "No suitable cargo version found for minimum required version ${min_cargo_versions}." +exit 1 From 5fa0c64531fd0786bd9e01674983b9bd0f1ab0a6 Mon Sep 17 00:00:00 2001 From: Adrian Dombeck Date: Thu, 9 Apr 2026 19:25:40 +0200 Subject: [PATCH 8/8] WIP: debian/control: Install cargo-1.88 on Questing --- debian/control | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index b2b4af6925..30af373700 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,12 @@ Build-Depends: debhelper-compat (= 13), dh-exec, dh-golang, dctrl-tools, - cargo (>= 1.91) | cargo-1.91, +# FIXME: We need a newer cargo to be able to update our Rust dependencies. +# These are the newest versions currently available in the active Ubuntu releases: +# * Noble: cargo-1.91 +# * Questing: cargo-1.88 +# * Resolute: cargo (>= 1.91) + cargo (>= 1.91) | cargo-1.91 | cargo-1.88, # FIXME: We need cargo-vendor-filterer starting from plucky, but noble isn't ready yet # so workaround it, making it kind of optional, and requiring it only on versions after # noble (controlled via base-files version that matches the one in noble).