severity 946921 important
thanks
On Sun, Apr 12, 2020 at 09:28:52AM +0100, peter green wrote:
> > https://rustsec.org/advisories/RUSTSEC-2019-0031.html was issued to flag
> > that
> > rust-spin development stop. I suppose that means it should not enter
> > bullseye
> > / get removed.
> This bug is currently one of several blockers for getting rust-cbindgen back
> into testing and thus making the build-dependencies of firefox-esr
> satisfiable again there.
>
> Looking at the reverse dependencies (note: dak rm does not work for rust
> stuff, I'm guessing it lacks understanding of versioned provides). There seem
> to be two librust-ring-dev and librust-lazy-static+spin-dev
>
> librust-lazy-static+spin-dev does not seem to have any reverse dependencies.
>
> librust-ring-dev (or it's same-source rdeps) has reverse dependencies of
> librust-webpki-dev librust-trust-dns-proto+ring-dev
> librust-trust-dns-proto+dnssec-ring-dev librust-sct-dev
> librust-cookie+secure-dev and librust-cookie+ring-dev
>
> rust-webpki (or it's same-source rdeps) has reverse dependencies of
> librust-reqwest+webpki-roots-dev and librust-reqwest+rustls-tls-dev
>
> librust-trust-dns-proto+ring-dev and librust-trust-dns-proto+dnssec-ring-dev
> do not seem to have any reverse dependencies.
>
> librust-sct-dev does not seem to have any reverse dependencies
>
> librust-cookie+secure-dev and librust-cookie+ring-dev does not seem to have
> any reverse dependencies.
>
> rust-reqwest seems to be badly busted anyway and doesn't seem to be required
> for getting cbindgen back into testing
>
> So I see two possible ways forward here.
>
> 1. Downgrade this bug, decide that while abandonment obviously raises the
> possibility of unfixed security holes, this abandoned rust package is not
> that big a deal in the grand scheme of things.
Let's do that, then.
Cheers,
Moritz
