Control: tags -1 + pending El 14/08/24 a las 15:16, Justus Winter escribió: > Dear maintainer, > > When the Rust bindings for libbz2 are built, the build framework tries > to locate libz2 via pkg-config, but when that fails, a vendored copy of > libbz2 is compiled and statically linked into the resulting artifact. > > This is unfortunate, because the Debian policy advises against using > source copies. > > https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies > > Sequoia, an implementation of OpenPGP, rely on the Rust bindings for > libbz2. There are two reasons for why I wish builds of Sequoia would > use the distribution's libbz2 on Debian (like they do on Fedora, for > example): > > First, compressed OpenPGP messages are usually first signed, then > compressed, then encrypted. So, when decrypting a message, it is fed to > the decompression library before it is authenticated. Therefore, we > need to assume that attacker-controlled material is fed to the library, > and as such it is of the utmost importance that libbz2 is secure and > kept up-to-date. Having a source copy of libbz2 makes it less likely > that any security updates are applied to it. > > Second, statically linking in libbz2 increases the size of our binaries, > and this has been held against us. > > Please ship a pkg-config definition for libbz2.
Thanks for the heads-up. I've added a pc file that will be part of the next release (to be uploaded soon): https://salsa.debian.org/debian/bzip2/-/blob/5dc382b93c57fa0138ea1b4cc0f5c50a0d6e5020/debian/bzip2.pc Cheers, -- Santiago
signature.asc
Description: PGP signature
