[Pkg-rust-maintainers] Bug#972802: rust-webpki-roots: duplicates ca-certificates, remove from Debian?

[Paul Wise]

Source: rust-webpki-roots
Severity: serious
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>, kpcyrd <git at rxv.cc>
Usertags: embed

rust-webpki-roots is essentially a duplicate of ca-certificates.

https://tracker.debian.org/pkg/ca-certificates
https://wiki.debian.org/EmbeddedCopies

AFAICT, rebuilding the package from source doesn't run the upstream
supplied build.py script, so rebuilding from source won't update the
certs available in the package.

Having to rebuild rust-webpki-roots and everything that depends on it
after every update of ca-certificates would be very annoying though.

Probably rust-webpki-roots should be removed from Debian and replaced
with something that loads the certs from ca-certificates at runtime.

As far as I can tell, nothing in Debian uses rust-webpki-roots, but on
IRC, kpcyrd mentioned that they have projects that use webpki-roots,
CCing them in order to get more info about that usage.

   $ ssh mirror.ftp-master.debian.org dak rm -s unstable -Rn rust-webpki-roots



   Will remove the following packages from unstable:

   librust-webpki-roots-dev | 0.20.0-1+b1 | amd64, arm64, armel, armhf, i386
   rust-webpki-roots |   0.20.0-1 | source
   webpki-roots | 0.20.0-1+b1 | amd64, arm64, armel, armhf, i386

   Maintainer: Debian Rust Maintainers <pkg-rust-maintainers at alioth-lists.debian.net>

   ------------------- Reason -------------------

   ----------------------------------------------

   Checking reverse dependencies...
   No dependency problem found.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20201024/9e2de890/attachment.sig>