[Pkg-rust-maintainers] Bug#1050299: Bug#1050299: rust-webpki: RUSTSEC-2023-0052
Peter Green
plugwash at debian.org
Sat Sep 9 01:07:36 BST 2023
> I think this indicates that it can indeed be safely removed from Debian? I'm
> CC'ing developers that have made uploads to this packages in the past for
> additiponal opinions as I suspect the issue is more subtle than that.
dak rm does not take account of virtual packages. So for rust packages
it is generally useless.
In terms of reverse dependencies, a number have already moved to the fork
rustls-webpki. However there are still a few left. Specifically
rust-async-tls, rust-trust-dns-proto and rust-trust-dns-client.
async-tls has not switched upstream. On the other hand I don't
see any packages in Debian using it yet. ccing mjt to see what
the reason for packaging it was.
trust-dns-proto and trust-dns-server have switched upstream, however
updating the trust-dns-packages has proved a bit more involved than
I would have liked. I pushed my current efforts to the branch
trust-dns-0.23 in the debcargo-conf repo.
The main thing left to deal with regarding the trust-dns is
aardvark-dns, the code changes needed were beyond my skills,
so I reported an issue upstream. Upstream has come up with
a patch but has not merged it yet.
https://github.com/containers/aardvark-dns/pull/381
More information about the Pkg-rust-maintainers
mailing list