[Pkg-rust-maintainers] Bug#972802: rust-webpki-roots: duplicates ca-certificates, remove from Debian?

[kpcyrd]

On Sat, Oct 24, 2020 at 09:42:40AM +0800, Paul Wise wrote:
> Source: rust-webpki-roots
> Severity: serious
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>, kpcyrd <git at rxv.cc>
> Usertags: embed
> 
> rust-webpki-roots is essentially a duplicate of ca-certificates.
> 
> https://tracker.debian.org/pkg/ca-certificates
> https://wiki.debian.org/EmbeddedCopies
> 
> AFAICT, rebuilding the package from source doesn't run the upstream
> supplied build.py script, so rebuilding from source won't update the
> certs available in the package.

Yes, running the build.py script would cause reproducible builds issues
because it's used to take snapshots of Mozilla's trusted root CA
certificates.

> Having to rebuild rust-webpki-roots and everything that depends on it
> after every update of ca-certificates would be very annoying though.
> 
> Probably rust-webpki-roots should be removed from Debian and replaced
> with something that loads the certs from ca-certificates at runtime.

This is a very non-trivial downstream patch though, the project I'm
trying to package runs in a sandbox and loading certificates from disk
at runtime is not possible without redesigning some things.

> As far as I can tell, nothing in Debian uses rust-webpki-roots, but on
> IRC, kpcyrd mentioned that they have projects that use webpki-roots,
> CCing them in order to get more info about that usage.

webpki-roots is an optional dependency of reqwest, see
librust-reqwest+webpki-roots-dev[1]. It's related to
webpki[2]/rustls[3], the later only got accepted into debian very
recently.

[1]: https://packages.debian.org/unstable/librust-reqwest+webpki-roots-dev
[2]: https://tracker.debian.org/pkg/rust-webpki
[3]: https://tracker.debian.org/pkg/rust-rustls