Quoting Peter Green (2025-02-20 02:53:09) > On 19/02/2025 05:49, Jonas Smedegaard wrote: > > I would love to get rustls-native-certs upgraded, and am happy for help > > doing it, but think that it will require fixing each reverse dependency > > first - which was possibly also the exact thing you were doing here. > Yup, working through the reverse dependencies preparing fixes
Great! > > Instead of patching to use newer rustls-native-certs, the upstream > > recommendation is to instead move to rustls-platform-verifier. > My general feeling is that such a switch is a matter for upstreams > not for distro patches. Debian already overrule upstream when they choose to bake certs into each compiled binary. > Also afaict such a switch requires updating to the new version of > rustls, whereas merely updating rustls-native-certs does not. Yes. But only because rustls-platform-verifier in unstable was not patched to use rustls v0.21. > That said, if packages move to rustls-platform-verfier and stop > directly using rustls-native-certs and rustls-pemfile, it effectively > removes them from the set of packages that need to be dealt with as > part of this update (rustls-platform-verifier itself will need to be, > but that should just be a matter of dropping patches). Exactly: Moving to rustls-platform-verifier reduces the surface of code intimately entangled in the rustls migration, because it reduces that surfaces for other reasons: It is hard to do it right, so risky to have to do it right at many places - which applies both for upstream and for Debian patching. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
