[Pkg-rust-maintainers] Bug#946921: (rust-spin) Project abandoned

peter green plugwash at p10link.net
Sun Apr 12 09:28:52 BST 2020 

> https://rustsec.org/advisories/RUSTSEC-2019-0031.html  was issued to flag that
> rust-spin development stop. I suppose that means it should not enter bullseye
> / get removed.
This bug is currently one of several blockers for getting rust-cbindgen back into testing and thus making the build-dependencies of firefox-esr satisfiable again there.

Looking at the reverse dependencies (note: dak rm does not work for rust stuff, I'm guessing it lacks understanding of versioned provides). There seem to be two librust-ring-dev and librust-lazy-static+spin-dev

librust-lazy-static+spin-dev does not seem to have any reverse dependencies.

librust-ring-dev (or it's same-source rdeps) has reverse dependencies of librust-webpki-dev librust-trust-dns-proto+ring-dev librust-trust-dns-proto+dnssec-ring-dev librust-sct-dev librust-cookie+secure-dev and librust-cookie+ring-dev

rust-webpki (or it's same-source rdeps) has reverse dependencies of librust-reqwest+webpki-roots-dev and librust-reqwest+rustls-tls-dev

librust-trust-dns-proto+ring-dev and librust-trust-dns-proto+dnssec-ring-dev do not seem to have any reverse dependencies.

librust-sct-dev does not seem to have any reverse dependencies

librust-cookie+secure-dev and librust-cookie+ring-dev does not seem to have any reverse dependencies.

rust-reqwest seems to be badly busted anyway and doesn't seem to be required for getting cbindgen back into testing

So I see two possible ways forward here.

1. Downgrade this bug, decide that while abandonment obviously raises the possibility of unfixed security holes, this abandoned rust package is not that big a deal in the grand scheme of things.

2. Modify rust-lazy-static, rust-trust-dns-proto and rust-cookie to drop the featureset packages that depend (directly or indirectly) on librust-spin-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20200412/141791b3/attachment-0001.html>

More information about the Pkg-rust-maintainers mailing list