
<html>

  <head>


    <meta http-equiv="content-type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>

      <blockquote type="cite">

        <pre class="message"><a href="https://rustsec.org/advisories/RUSTSEC-2019-0031.html">https://rustsec.org/advisories/RUSTSEC-2019-0031.html</a> was issued to flag that

rust-spin development stop. I suppose that means it should not enter bullseye

/ get removed.</pre>

      </blockquote>

      This bug is currently one of several blockers for getting

      rust-cbindgen back into testing and thus making the

      build-dependencies of firefox-esr satisfiable again there.<br>

      <br>

      Looking at the reverse dependencies (note: dak rm does not work

      for rust stuff, I'm guessing it lacks understanding of versioned

      provides). There seem to be two librust-ring-dev and

      librust-lazy-static+spin-dev<br>

      <br>

      librust-lazy-static+spin-dev does not seem to have any reverse

      dependencies.<br>

    </p>

    <p>librust-ring-dev (or it's same-source rdeps) has reverse

      dependencies of librust-webpki-dev

      librust-trust-dns-proto+ring-dev

      librust-trust-dns-proto+dnssec-ring-dev librust-sct-dev

      librust-cookie+secure-dev and librust-cookie+ring-dev<br>

    </p>

    <p>rust-webpki (or it's same-source rdeps) has reverse dependencies

      of librust-reqwest+webpki-roots-dev and

      librust-reqwest+rustls-tls-dev<br>

    </p>

    <p>librust-trust-dns-proto+ring-dev and

      librust-trust-dns-proto+dnssec-ring-dev do not seem to have any

      reverse dependencies.<br>

    </p>

    <p>librust-sct-dev does not seem to have any reverse dependencies<br>

    </p>

    <p>librust-cookie+secure-dev and librust-cookie+ring-dev does not

      seem to have any reverse dependencies.<br>

      <br>

      rust-reqwest seems to be badly busted anyway and doesn't seem to

      be required for getting cbindgen back into testing</p>

    <p>So I see two possible ways forward here.<br>

      <br>

      1. Downgrade this bug, decide that while abandonment obviously

      raises the possibility of unfixed security holes, this abandoned

      rust package is not that big a deal in the grand scheme of things.<br>

      <br>

      2. Modify rust-lazy-static, rust-trust-dns-proto and rust-cookie

      to drop the featureset packages that depend (directly or

      indirectly) on librust-spin-dev<br>

    </p>

  </body>

</html>