[Pkg-rust-maintainers] Bug#962508: switch libcurl to openssl by default

Harlan Lieberman-Berg hlieberman at debian.org
Tue Jun 9 00:16:27 BST 2020

Package: cargo
Version: 0.43.1-3
Severity: wishlist

Hello fellow Rustaceans!

Because cargo has a direct dependency on OpenSSL, it seems logical that we
should switch the priority of openssl and gnutls so Cargo, at least by default,
isn't building against two different TLS implementations.

This is especially important considering GnuTLS has had some painful security
incidents recently: CVE-2020-13777 in particular.

Should just require switching the order of the libcurl dep in d/control.


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cargo depends on:
ii  binutils            2.34-8
ii  gcc [c-compiler]    4:9.2.1-3.1
ii  gcc-8 [c-compiler]  8.4.0-4
ii  gcc-9 [c-compiler]  9.3.0-13
ii  libc6               2.30-8
ii  libcurl3-gnutls     7.68.0-1
ii  libgcc-s1           10.1.0-1
ii  libgit2-28          0.28.5+dfsg.1-1
ii  libssh2-1           1.8.0-2.1
ii  libssl1.1           1.1.1g-1
ii  rustc               1.42.0+dfsg1-1
ii  zlib1g              1:1.2.11.dfsg-2

cargo recommends no packages.

Versions of packages cargo suggests:
pn  cargo-doc  <none>
ii  python3    3.8.2-3

-- no debconf information

More information about the Pkg-rust-maintainers mailing list