[Pkg-auth-maintainers] Bug#1039431: Maintaining yubiserver in Authentication tools packaging team?
Simon Josefsson
simon at josefsson.org
Thu Nov 20 11:51:17 GMT 2025
Hi
If you need a sponsor for yubiserver-rs, please reach out -- it would be
nice to have a replacement in Debian. Btw, I suggest to use
pkg-security team rather than pkg-auth-maintainers, I'm trying to wind
down the latter.
/Simon
Chrysostomos Nanakos <chris at include.gr> writes:
> Hi Andreas,
> fair enough. Let’s remove it with next step being the packaging of yubiserver-rs.
>
> Kind regards,
> Chrysostomos.
>
>> On 16 Nov 2025, at 19:07, Andreas Tille <tille at debian.org> wrote:
>>
>> Hi again,
>>
>> Am Sat, Aug 02, 2025 at 07:46:56AM +0200 schrieb Andreas Tille:
>>> Am Fri, Aug 01, 2025 at 11:01:05PM +0300 schrieb Chrysostomos Nanakos:
>>>> Hey Andreas,
>>>> just saw your email with regard the yubiserver.
>>>
>>> thanks a lot for your fast response.
>>>
>>>> I have stopped working on this implementation and using the rust
>>>> implementation instead. It can be found here if you are interested
>>>> replacing it or use it:
>>>>
>>>> https://github.com/cnanakos/yubiserver-rs
>>>
>>> Cool. This sounds very promising.
>>
>> While yubiserver-rs sounds promising it means on the other hand that the
>> yubiserver package in Debian is orphaned. Now since bug has RC severity
>> it might make sense to remove this packagage from Debian and I intend to
>> do so after waiting one month.
>>
>>>> I would like to find some time package it and replace the existing one but with no luck so far.
>>>
>>> I admit I would like to support your packaging attempt but I can't
>>> promise anything since I have no experience with Rust packaging. I
>>> trust that someone in the team might help in case of stumbling stones.
>>>
>>> Could you be more verbose about "no luck so far"?
>>>
>>> When checking the repository I noticed there are no release tags. I
>>> would recommend adding such tags to let the world (not only the Debian
>>> packagers) know, what commit might be of release quality (in contrast to
>>> development commits). In Debian we could point the watch file to these
>>> tags.
>>
>> I have not seen any tags yet. I also need to admit I did not had packaged
>> any Rust package yet and can't backup your attempt with any knowledge here.
>>
>>> Alternatively we could create a new package yubiserver-rs make it
>>> providing yubiserver and remove the original yubiserver from Debian (if
>>> you think there is no real use for it any more).
>>
>> Mean while I think removing the current package from Debian seems like a
>> sensible way to go to not attract users to orphaned security software.
>>
>> Kind regards
>> Andreas.
>>
>> --
>> https://fam-tille.de
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-auth-maintainers/attachments/20251120/94d3b10a/attachment.sig>
More information about the Pkg-auth-maintainers
mailing list