librsvg-2.59.1

[Bruce Dubbs]

New point version. Now 2.59.0

[Rahul Chandra]

Leaving open to add cargo-c to the book which is now required for the build.

Version 2.59.0
librsvg crate version 2.59.0
librsvg-rebind crate version 0.1.0
The biggest change in this release is that librsvg now uses the Meson
build system instead of autotools.  Many, many thanks to Amyspark and
Centricular for doing and funding this massive work.
With Meson, librsvg now builds a lot more reliably on Windows and
MacOS.
The Meson options for different compile-time configurations are
documented in devel-docs/compiling.rst.
Requirements for build tools:

Meson 1.2.0 or later
Rust 1.77.2 or later
cargo-c 0.9.19 or later (https://github.com/lu-zero/cargo-c)

Summary of changes (see the release notes for the 2.58.9x releases for
more details):


Librsvg now uses Meson instead of Autotools (Amyspark, Chun-wei Fan,
Kleis Auke Wolthuizen, Jordan Petridis, Lovell Fuller, Nirbheek
Chauhan).


There is a -Davif meson option to include support for AVIF in the
image-rs crate, which librsvg uses to load raster images.  See
devel-docs/compiling.rst for details.  (Jan Alexander Steffens)


#1061 - Librsvg now explicitly builds only its supported raster
formats for image-rs: JPEG, PNG, GIF, WEBP, and optional
compile-time support for AVIF (Kleis Auke Wolthuizen).  Other raster
image formats are not supported, to minimize the attack surface.
Please file a bug if you need more formats.


#429 - Librsvg now supports cancellable rendering; you can start
rendering an RsvgHandle in one thread, and stop it from another
thread with a GCancellable.  In the C API, you can use the
rsvg_handle_set_cancellable_for_rendering() function; in the Rust
API, CairoRenderer now has a with_cancellable() method.


#1089 - For Rust users, there is now a librsvg-rebind crate that
binds the C API for use from Rust.  Internally this links to the
system's librsvg shared library, in contrast with the librsvg
crate, which is statically linked and which has a native Rust API.
The librsvg-rebind crate is for cases where the additional code
size from static linking is not desired.  This librsvg-rebind crate
is available from crates.io. (Sophie Herold).


A bunch of fixes to bugs found through fuzz testing.

[Rahul Chandra]

Fixed @
db65d99b0decdc2b38ab9596db7a6f4ed49047f9 - protobuf-28.2
4d0a4263abf0a00d5050953caa5bbeba0940fb78 - libpng-1.6.44
3a37e2f6cde8f490ee87dfce68a590ab817dc834 - bluez-5.78
befaab0a59b34bd4f25b5dd9cb86a09fe64bf87d - librsvg-2.58.4
d65e019e26c4128e3a01a6a549900e8f96ea1cb3 - curl-8.10.1 (Security Update).
1aa3576106248285dcf02e640d8a3dc660d864a6 - qemu-9.1.0
5216c76c32d250b0acf96b2b7e6d3df2e1d3956c - power-profiles-daemon-0.23

[Xi Ruoyao]

I have trouble downloading cargo-c.

The download location ​https://github.com/lu-zero/cargo-c/archive/v0.10.4/cargo-c-0.10.4.tar.gz lacks the Cargo.lock file, thus when we build this archive cargo will download use the latest version of the dependencies. So in each build we may use different versions of the dependencies and it's unacceptable for a stable BLFS release.

Another download location ​https://crates.io/api/v1/crates/cargo-c/0.10.4+cargo-0.82.0/download has a stupid filename (if downloading with wget).

The (standalone) Cargo.lock file is available at ​https://github.com/lu-zero/cargo-c/releases/download/v0.10.4/Cargo.lock but again it has a stupid filename (which package does the file belong to?).

I guess we'll end up uploading the tarball from ​https://crates.io/api/v1/crates/cargo-c/0.10.4+cargo-0.82.0/download to anduin.

[Xi Ruoyao]

Another possibility is using curl (it'll be a required/recommended dependency then) to download ​https://github.com/lu-zero/cargo-c/releases/download/v0.10.4/Cargo.lock as a part of the book instruction:

curl -LO https://github.com/lu-zero/cargo-c/releases/download/v0.10.4/Cargo.lock

curl is already recommended for rustc so people should already have it installed. And cargo build --release will require an Internet connection anyway, so the package should already have the "building requires Internet" note.

[Xi Ruoyao]

So what I've got for cargo-c:

# Download (HTTP)
curl -LO https://github.com/lu-zero/cargo-c/archive/v0.10.4/cargo-c-0.10.4.tar.gz

# Required:
#  - rustc
#  - an Internet connection
# Recommended:
#  - curl (for downloading Cargo.lock)
#  - libssh2 (otherwise a shipped copy will be used)
#  - sqlite3 (ditto)
# Optional:
#  - libgit2 (external)

# Download a file specifying the versions of dependencies:
curl -LO https://github.com/lu-zero/cargo-c/releases/download/v0.10.4/Cargo.lock

# Allow building with system libssh2 and sqlite3 (like rustc):
[ ! -e /usr/include/libssh2.h ] || export LIBSSH2_SYS_USE_PKG_CONFIG=1
[ ! -e /usr/include/sqlite3.h ] || export LIBSQLITE3_SYS_USE_PKG_CONFIG=1

# Build the package
cargo build --release

# Test the package
cargo test --release

# Install the package
sudo install -vm755 target/release/cargo-c*[a-z][a-z] /usr/bin/

Some remaining issues:

• Maybe /opt/rustc/bin is better than /usr/bin? (But then we'll need to reinstall the package whenever upgrading rustc.)
• Maybe we can add libgit2 as a package so rustc and cargo-c can share the system libgit2 library? (Gentoo does this.)

[Xi Ruoyao]

Now it's harder to make the doc installed into where we want:

sed -e "s/Rsvg-2.0/librsvg-2.59.0/" \
    -e "s/'--output-dir'/'--no-namespace-dir', &/" \
    -e "/OUTDIR/s|,$|/ 'librsvg-2.59.0'&|" \
    -i doc/meson.build

Otherwise it's a normal MNNI. LC_ALL=C seems no longer needed.

[Rahul Chandra]

Thanks Xi this helps a lot, I will get to adding it, probably on Saturday.

[Bruce Dubbs]

Now version 2.59.1. I needed to update the currency.

[Bruce Dubbs]

Fixed at commit 11e68b9502.

Added cargo-c in support at commit e462a41478.

[Xi Ruoyao]

I don't like making Cargo.lock an additional download. The file name is not versioned (so an user can forget to download it again when updating librsvg to a new version say 2.59.2), and we cannot even tell which package it's for from the name.

Can I change the book to just download it using curl in the instructions? Note that cargo build --release already requires an Internet connection so there will be no harm IMO.

[Douglas R. Reno]

Replying to Xi Ruoyao:

I don't like making Cargo.lock an additional download. The file name is not versioned (so an user can forget to download it again when updating librsvg to a new version say 2.59.2), and we cannot even tell which package it's for from the name.

Can I change the book to just download it using curl in the instructions? Note that cargo build --release already requires an Internet connection so there will be no harm IMO.

I'm not the biggest fan of having Cargo.lock as an additional download either. I think using curl to download it would be a great idea, especially since we already need rust (so it's already installed on the system)

[Douglas R. Reno]

Release notes for 2.59.1:

Version 2.59.1
==============

librsvg crate version 2.59.1

librsvg-rebind crate version 0.1.0

Two mitigations for crashes found throuh fuzz testing:

- #1088, #1118 - Cairo is easy to crash by giving it path coordinates
  that are outside of the range that it can represent internally with
  its fixed-point arithmetic.  Fuzzers usually produce SVGs with very
  large numbers for coordinates, which overflow Cairo's arithmetic.
  This is just a *mitigation*, not a complete fix: librsvg will now
  check if path coordinates are outside of Cairo's supported range,
  and it will not render shapes with problematic coordinates.
  However, fuzzers may still produce coordinates that are in range but
  that still make Cairo crash.  I am starting to learn Cairo's code to
  see if this can be fixed gradually.

[Bruce Dubbs]

Replying to Douglas R. Reno:

Replying to Xi Ruoyao:

I don't like making Cargo.lock an additional download. The file name is not versioned (so an user can forget to download it again when updating librsvg to a new version say 2.59.2), and we cannot even tell which package it's for from the name.

Can I change the book to just download it using curl in the instructions? Note that cargo build --release already requires an Internet connection so there will be no harm IMO.

I'm not the biggest fan of having Cargo.lock as an additional download either. I think using curl to download it would be a great idea, especially since we already need rust (so it's already installed on the system)

I suppose using curl will be OK. Go ahead and change the instructions, but be sure to put in a note about why we are doing that.

[Xi Ruoyao]

Replying to Bruce Dubbs:

Replying to Douglas R. Reno:

Replying to Xi Ruoyao:

I don't like making Cargo.lock an additional download. The file name is not versioned (so an user can forget to download it again when updating librsvg to a new version say 2.59.2), and we cannot even tell which package it's for from the name.

Can I change the book to just download it using curl in the instructions? Note that cargo build --release already requires an Internet connection so there will be no harm IMO.

I'm not the biggest fan of having Cargo.lock as an additional download either. I think using curl to download it would be a great idea, especially since we already need rust (so it's already installed on the system)

I suppose using curl will be OK. Go ahead and change the instructions, but be sure to put in a note about why we are doing that.

r12.2-246-g26c3ba5374.