From e8e18bb85a971c594051dc29f8b16167821a6056 Mon Sep 17 00:00:00 2001
From: Gavin Inglis <giinglis@amazon.com>
Date: Fri, 28 Feb 2025 23:59:23 +0000
Subject: [PATCH 1/3] ci: link against musl

Signed-off-by: Gavin Inglis <giinglis@amazon.com>
---
 .github/workflows/rust.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index aa7279dd0..f4f1d8ea2 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -20,9 +20,10 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: "^1.18"
-      # Install `patch`, needed to build `krane-bundle`
-      - run: sudo apt-get install -y patch
-      - run: make build
+      # Install `patch`, needed to build `krane-bundle`, and tools for linking against musl
+      - run: sudo apt-get install -y patch musl-tools musl-dev
+      - run: rustup target add x86_64-unknown-linux-musl
+      - run: CARGO_BUILD_TARGET=x86_64-unknown-linux-musl make build
 
   cross-build:
     runs-on:

From 259298a409aa41ad2fcfb3fdbc86aaeea8422b68 Mon Sep 17 00:00:00 2001
From: Gavin Inglis <giinglis@amazon.com>
Date: Wed, 26 Feb 2025 20:12:26 +0000
Subject: [PATCH 2/3] update rust toolchain to latest nightly

Update rust toolchain to the latest nightly release. Address lints and
license clarifications as a result.

Signed-off-by: Gavin Inglis <giinglis@amazon.com>
---
 clarify.toml                              | 17 +++++++++++++++++
 deny.toml                                 |  8 +++-----
 rust-toolchain.toml                       |  2 +-
 tools/buildsys/src/cache.rs               |  2 +-
 tools/buildsys/src/gomod.rs               |  2 +-
 tools/oci-cli-wrapper/src/lib.rs          | 14 +++++++-------
 tools/testsys/src/aws_resources.rs        |  8 ++++----
 tools/testsys/src/crds.rs                 |  2 +-
 tools/update-metadata/src/lib.rs          |  2 +-
 twoliter/src/project/lock/mod.rs          |  8 ++++----
 twoliter/src/project/lock/verification.rs |  3 ---
 twoliter/src/project/vendor.rs            |  2 +-
 12 files changed, 41 insertions(+), 29 deletions(-)

diff --git a/clarify.toml b/clarify.toml
index 4a0887602..7c97d405b 100644
--- a/clarify.toml
+++ b/clarify.toml
@@ -27,6 +27,23 @@ license-files = [
     { path = "src/unicode_tables/LICENSE-UNICODE", hash = 0xa7f28b93 },
 ]
 
+[clarify.rust-fuzzy-search]
+expression = "MIT OR Apache-2.0"
+license-files = [
+    { path = "LICENSE-APACHE", hash = 0xbde481e5 },
+    { path = "LICENSE-MIT", hash = 0xb5a90d39 },
+]
+skip-files = [
+    # these licenses apply to documentation
+    "target/doc/FiraSans-LICENSE.txt",
+    "target/doc/COPYRIGHT.txt",
+    "target/doc/LICENSE-APACHE.txt",
+    "target/doc/LICENSE-MIT.txt",
+    "target/doc/SourceCodePro-LICENSE.txt",
+    "target/doc/SourceSerif4-LICENSE.md",
+]
+
+
 [clarify.typenum]
 expression = "MIT OR Apache-2.0"
 license-files = [
diff --git a/deny.toml b/deny.toml
index 8e38fc851..af73ef577 100644
--- a/deny.toml
+++ b/deny.toml
@@ -78,8 +78,6 @@ skip = [
     { name = "tabled", version = "0.15.0" },
     # multiple deps are using an older version of tabled_derive
     { name = "tabled_derive", version = "0.7.0" },
-    # multiple deps are using an older version of zerocopy
-    { name = "zerocopy", version = "0.7.35" },
 ]
 
 skip-tree = [
@@ -90,9 +88,9 @@ skip-tree = [
     { name = "windows-sys" },
 ]
 
-[bans.workspace-dependencies]    
-duplicates = "deny"                                                                                                                                                                                                                                   
-include-path-dependencies = true    
+[bans.workspace-dependencies]
+duplicates = "deny"
+include-path-dependencies = true
 unused = "deny"
 
 [sources]
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
index 9214f62fd..56863444d 100644
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -2,5 +2,5 @@
 # particular date of the nightly compiler, but we want builds to be reproducable, so we lock to a
 # specific, recent instance of nightly.
 [toolchain]
-channel = "nightly-2024-07-11"
+channel = "nightly-2025-02-28"
 profile = "default"
diff --git a/tools/buildsys/src/cache.rs b/tools/buildsys/src/cache.rs
index a9faafaa0..0a8ab4af5 100644
--- a/tools/buildsys/src/cache.rs
+++ b/tools/buildsys/src/cache.rs
@@ -159,7 +159,7 @@ impl LookasideCache {
         let name = parsed
             .path_segments()
             .context(error::ExternalFileNameSnafu { path: url })?
-            .last()
+            .next_back()
             .context(error::ExternalFileNameSnafu { path: url })?;
         Ok(name.into())
     }
diff --git a/tools/buildsys/src/gomod.rs b/tools/buildsys/src/gomod.rs
index 402628f19..8c70f61d7 100644
--- a/tools/buildsys/src/gomod.rs
+++ b/tools/buildsys/src/gomod.rs
@@ -162,7 +162,7 @@ fn extract_file_name(url: &str) -> Result<PathBuf> {
     let name = parsed
         .path_segments()
         .context(error::InputFileBadSnafu { path: url })?
-        .last()
+        .next_back()
         .context(error::InputFileBadSnafu { path: url })?;
     Ok(name.into())
 }
diff --git a/tools/oci-cli-wrapper/src/lib.rs b/tools/oci-cli-wrapper/src/lib.rs
index 1949543f9..956c12b06 100644
--- a/tools/oci-cli-wrapper/src/lib.rs
+++ b/tools/oci-cli-wrapper/src/lib.rs
@@ -3,14 +3,14 @@
 //!
 //! Current two tools are supported:
 //! * crane, gcrane, krane
-//!     Crane provides a more direct interaction with the container registry,
-//!     allowing us to query image information in the registry without having to pull the full image to
-//!     disk. It also does not require a daemon to operate and has optimizations for pulling large images to disk
+//!   Crane provides a more direct interaction with the container registry,
+//!   allowing us to query image information in the registry without having to pull the full image to
+//!   disk. It also does not require a daemon to operate and has optimizations for pulling large images to disk
 //! * docker
-//!     Docker can perform all interactions we need with several caveats that make it less efficient than
-//!     crane. The image needs to be pulled locally in order for docker to inspect the manifest and extract
-//!     metadata. In addition, in order to operate with OCI image format, the containerd-snapshotter
-//!     feature has to be enabled in the docker daemon
+//!   Docker can perform all interactions we need with several caveats that make it less efficient than
+//!   crane. The image needs to be pulled locally in order for docker to inspect the manifest and extract
+//!   metadata. In addition, in order to operate with OCI image format, the containerd-snapshotter
+//!   feature has to be enabled in the docker daemon
 use std::fmt::{Display, Formatter};
 use std::{collections::HashMap, path::Path};
 
diff --git a/tools/testsys/src/aws_resources.rs b/tools/testsys/src/aws_resources.rs
index 12045d166..0f3857190 100644
--- a/tools/testsys/src/aws_resources.rs
+++ b/tools/testsys/src/aws_resources.rs
@@ -114,8 +114,8 @@ pub(crate) struct AmiImage {
 }
 
 /// Create a CRD to launch Bottlerocket instances on an EKS or ECS cluster.
-pub(crate) async fn ec2_crd<'a>(
-    bottlerocket_input: BottlerocketInput<'a>,
+pub(crate) async fn ec2_crd(
+    bottlerocket_input: BottlerocketInput<'_>,
     cluster_type: ClusterType,
     region: &str,
 ) -> Result<Resource> {
@@ -231,8 +231,8 @@ pub(crate) async fn ec2_crd<'a>(
 }
 
 /// Create a CRD to launch Bottlerocket instances on an EKS or ECS cluster.
-pub(crate) async fn ec2_karpenter_crd<'a>(
-    bottlerocket_input: BottlerocketInput<'a>,
+pub(crate) async fn ec2_karpenter_crd(
+    bottlerocket_input: BottlerocketInput<'_>,
     region: &str,
 ) -> Result<Resource> {
     let cluster_name = bottlerocket_input
diff --git a/tools/testsys/src/crds.rs b/tools/testsys/src/crds.rs
index 3bd7f250d..d0545d515 100644
--- a/tools/testsys/src/crds.rs
+++ b/tools/testsys/src/crds.rs
@@ -36,7 +36,7 @@ pub struct CrdInput<'a> {
     pub images: TestsysImages,
 }
 
-impl<'a> CrdInput<'a> {
+impl CrdInput<'_> {
     /// Retrieve the TUF repo information from `Infra.toml`
     pub fn tuf_repo_config(&self) -> Option<TufRepoConfig> {
         if let (Some(metadata_base_url), Some(targets_url)) = (
diff --git a/tools/update-metadata/src/lib.rs b/tools/update-metadata/src/lib.rs
index 101f655d3..973a01bb8 100644
--- a/tools/update-metadata/src/lib.rs
+++ b/tools/update-metadata/src/lib.rs
@@ -311,7 +311,7 @@ impl Update {
             .waves
             .range((Included(0), Excluded(seed)))
             .map(|(k, v)| (*k, *v))
-            .last();
+            .next_back();
         let end_wave = self
             .waves
             .range((Included(seed), Included(MAX_SEED)))
diff --git a/twoliter/src/project/lock/mod.rs b/twoliter/src/project/lock/mod.rs
index 6d9a07b99..6ba9bf237 100644
--- a/twoliter/src/project/lock/mod.rs
+++ b/twoliter/src/project/lock/mod.rs
@@ -1,7 +1,7 @@
-/// Covers the functionality and implementation of Twoliter.lock which is generated using
-/// `twoliter update`. It acts similarly to Cargo.lock as a flattened out representation of all kit
-/// and sdk image dependencies with associated digests so twoliter can validate that contents of a kit
-/// do not mutate unexpectedly.
+//! Covers the functionality and implementation of Twoliter.lock which is generated using
+//! `twoliter update`. It acts similarly to Cargo.lock as a flattened out representation of all kit
+//! and sdk image dependencies with associated digests so twoliter can validate that contents of a kit
+//! do not mutate unexpectedly.
 
 /// Contains operations for working with an OCI Archive
 mod archive;
diff --git a/twoliter/src/project/lock/verification.rs b/twoliter/src/project/lock/verification.rs
index 02744a96a..2d682ea5f 100644
--- a/twoliter/src/project/lock/verification.rs
+++ b/twoliter/src/project/lock/verification.rs
@@ -101,9 +101,6 @@ impl LockfileVerifier for Lock {
     }
 }
 
-/// A `LockfileVerifier` can return a set of `VerifyTag` structs, claiming that those artifacts
-/// have been resolved and verified against the lockfile.
-
 /// Writes marker files indicating which artifacts have been resolved and verified against the lock
 #[derive(Debug)]
 pub(crate) struct VerificationTagger {
diff --git a/twoliter/src/project/vendor.rs b/twoliter/src/project/vendor.rs
index 421d96fb0..704ed1a02 100644
--- a/twoliter/src/project/vendor.rs
+++ b/twoliter/src/project/vendor.rs
@@ -98,7 +98,7 @@ impl OverriddenVendor {
             .unwrap_or(&self.original_vendor.registry)
     }
 
-    pub(crate) fn repo_for<'a, V: VendedArtifact>(&'a self, image: &'a V) -> &str {
+    pub(crate) fn repo_for<'a, V: VendedArtifact>(&'a self, image: &'a V) -> &'a str {
         self.override_
             .name
             .as_deref()

From bf9c8354910de9fff8e595c46c952c22016d0629 Mon Sep 17 00:00:00 2001
From: "Sean P. Kelly" <seankell@amazon.com>
Date: Wed, 5 Mar 2025 20:12:59 +0000
Subject: [PATCH 3/3] ci: unlock cargo-deny dependency

---
 .github/workflows/rust.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index f4f1d8ea2..30d4d6031 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -15,7 +15,7 @@ jobs:
       labels: bottlerocket_ubuntu-latest_16-core
     steps:
       - uses: actions/checkout@v3
-      - run: cargo install cargo-deny@0.17.0 --locked
+      - run: cargo install cargo-deny --locked
       - run: cargo install cargo-make --locked
       - uses: actions/setup-go@v5
         with: