On Sat, Oct 24, 2020 at 09:42:40AM +0800, Paul Wise wrote: > Source: rust-webpki-roots > Severity: serious > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>, kpcyrd > <g...@rxv.cc> > Usertags: embed > > rust-webpki-roots is essentially a duplicate of ca-certificates. > > https://tracker.debian.org/pkg/ca-certificates > https://wiki.debian.org/EmbeddedCopies > > AFAICT, rebuilding the package from source doesn't run the upstream > supplied build.py script, so rebuilding from source won't update the > certs available in the package.
Yes, running the build.py script would cause reproducible builds issues because it's used to take snapshots of Mozilla's trusted root CA certificates. > Having to rebuild rust-webpki-roots and everything that depends on it > after every update of ca-certificates would be very annoying though. > > Probably rust-webpki-roots should be removed from Debian and replaced > with something that loads the certs from ca-certificates at runtime. This is a very non-trivial downstream patch though, the project I'm trying to package runs in a sandbox and loading certificates from disk at runtime is not possible without redesigning some things. > As far as I can tell, nothing in Debian uses rust-webpki-roots, but on > IRC, kpcyrd mentioned that they have projects that use webpki-roots, > CCing them in order to get more info about that usage. webpki-roots is an optional dependency of reqwest, see librust-reqwest+webpki-roots-dev[1]. It's related to webpki[2]/rustls[3], the later only got accepted into debian very recently. [1]: https://packages.debian.org/unstable/librust-reqwest+webpki-roots-dev [2]: https://tracker.debian.org/pkg/rust-webpki [3]: https://tracker.debian.org/pkg/rust-rustls
