Bug#962508: switch libcurl to openssl by default
On Mon, 08 Jun 2020 19:16:27 -0400 Harlan Lieberman-Berg wrote: > Package: cargo > Version: 0.43.1-3 > Severity: wishlist > > Hello fellow Rustaceans! > > Because cargo has a direct dependency on OpenSSL, it seems logical that we > should switch the priority of openssl and gnutls so Cargo, at least by > default, > isn't building against two different TLS implementations. > > This is especially important considering GnuTLS has had some painful security > incidents recently: CVE-2020-13777 in particular. > > Should just require switching the order of the libcurl dep in d/control. Hi, took a look at this while going through bug backlog. Unfortunately it's not as easy - switching the direct cargo->gnutls dep around to use the openssl variant works, but - libgit2 pulls in mbedtls - curl itself pulls in gnutls and nettle (via librtmp1), even in the openssl variant if those are fixed at some point, switching over seems sensible. libgit2 is in the process of being replaced upstream with gix, but I suspect that will still take a while to be completed.
Bug#962508: switch libcurl to openssl by default
Package: cargo Version: 0.43.1-3 Severity: wishlist Hello fellow Rustaceans! Because cargo has a direct dependency on OpenSSL, it seems logical that we should switch the priority of openssl and gnutls so Cargo, at least by default, isn't building against two different TLS implementations. This is especially important considering GnuTLS has had some painful security incidents recently: CVE-2020-13777 in particular. Should just require switching the order of the libcurl dep in d/control. Sincerely, -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.6.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cargo depends on: ii binutils2.34-8 ii gcc [c-compiler]4:9.2.1-3.1 ii gcc-8 [c-compiler] 8.4.0-4 ii gcc-9 [c-compiler] 9.3.0-13 ii libc6 2.30-8 ii libcurl3-gnutls 7.68.0-1 ii libgcc-s1 10.1.0-1 ii libgit2-28 0.28.5+dfsg.1-1 ii libssh2-1 1.8.0-2.1 ii libssl1.1 1.1.1g-1 ii rustc 1.42.0+dfsg1-1 ii zlib1g 1:1.2.11.dfsg-2 cargo recommends no packages. Versions of packages cargo suggests: pn cargo-doc ii python33.8.2-3 -- no debconf information