severity 946921 important thanks On Sun, Apr 12, 2020 at 09:28:52AM +0100, peter green wrote: > > https://rustsec.org/advisories/RUSTSEC-2019-0031.html was issued to flag > > that > > rust-spin development stop. I suppose that means it should not enter > > bullseye > > / get removed. > This bug is currently one of several blockers for getting rust-cbindgen back > into testing and thus making the build-dependencies of firefox-esr > satisfiable again there. > > Looking at the reverse dependencies (note: dak rm does not work for rust > stuff, I'm guessing it lacks understanding of versioned provides). There seem > to be two librust-ring-dev and librust-lazy-static+spin-dev > > librust-lazy-static+spin-dev does not seem to have any reverse dependencies. > > librust-ring-dev (or it's same-source rdeps) has reverse dependencies of > librust-webpki-dev librust-trust-dns-proto+ring-dev > librust-trust-dns-proto+dnssec-ring-dev librust-sct-dev > librust-cookie+secure-dev and librust-cookie+ring-dev > > rust-webpki (or it's same-source rdeps) has reverse dependencies of > librust-reqwest+webpki-roots-dev and librust-reqwest+rustls-tls-dev > > librust-trust-dns-proto+ring-dev and librust-trust-dns-proto+dnssec-ring-dev > do not seem to have any reverse dependencies. > > librust-sct-dev does not seem to have any reverse dependencies > > librust-cookie+secure-dev and librust-cookie+ring-dev does not seem to have > any reverse dependencies. > > rust-reqwest seems to be badly busted anyway and doesn't seem to be required > for getting cbindgen back into testing > > So I see two possible ways forward here. > > 1. Downgrade this bug, decide that while abandonment obviously raises the > possibility of unfixed security holes, this abandoned rust package is not > that big a deal in the grand scheme of things.
Let's do that, then. Cheers, Moritz