[Pkg-rust-maintainers] Bug#946921: (rust-spin) Project abandoned

[Moritz Mühlenhoff]

severity 946921 important
thanks

On Sun, Apr 12, 2020 at 09:28:52AM +0100, peter green wrote:
> > https://rustsec.org/advisories/RUSTSEC-2019-0031.html  was issued to flag that
> > rust-spin development stop. I suppose that means it should not enter bullseye
> > / get removed.
> This bug is currently one of several blockers for getting rust-cbindgen back into testing and thus making the build-dependencies of firefox-esr satisfiable again there.
> 
> Looking at the reverse dependencies (note: dak rm does not work for rust stuff, I'm guessing it lacks understanding of versioned provides). There seem to be two librust-ring-dev and librust-lazy-static+spin-dev
> 
> librust-lazy-static+spin-dev does not seem to have any reverse dependencies.
> 
> librust-ring-dev (or it's same-source rdeps) has reverse dependencies of librust-webpki-dev librust-trust-dns-proto+ring-dev librust-trust-dns-proto+dnssec-ring-dev librust-sct-dev librust-cookie+secure-dev and librust-cookie+ring-dev
> 
> rust-webpki (or it's same-source rdeps) has reverse dependencies of librust-reqwest+webpki-roots-dev and librust-reqwest+rustls-tls-dev
> 
> librust-trust-dns-proto+ring-dev and librust-trust-dns-proto+dnssec-ring-dev do not seem to have any reverse dependencies.
> 
> librust-sct-dev does not seem to have any reverse dependencies
> 
> librust-cookie+secure-dev and librust-cookie+ring-dev does not seem to have any reverse dependencies.
> 
> rust-reqwest seems to be badly busted anyway and doesn't seem to be required for getting cbindgen back into testing
> 
> So I see two possible ways forward here.
> 
> 1. Downgrade this bug, decide that while abandonment obviously raises the possibility of unfixed security holes, this abandoned rust package is not that big a deal in the grand scheme of things.

Let's do that, then.

Cheers,
        Moritz