[Pkg-rust-maintainers] Bug#972802: rust-webpki-roots: duplicates ca-certificates, remove from Debian?
kpcyrd
kpcyrd at rxv.cc
Sat Oct 24 04:06:47 BST 2020
On Sat, Oct 24, 2020 at 09:42:40AM +0800, Paul Wise wrote:
> Source: rust-webpki-roots
> Severity: serious
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>, kpcyrd <git at rxv.cc>
> Usertags: embed
>
> rust-webpki-roots is essentially a duplicate of ca-certificates.
>
> https://tracker.debian.org/pkg/ca-certificates
> https://wiki.debian.org/EmbeddedCopies
>
> AFAICT, rebuilding the package from source doesn't run the upstream
> supplied build.py script, so rebuilding from source won't update the
> certs available in the package.
Yes, running the build.py script would cause reproducible builds issues
because it's used to take snapshots of Mozilla's trusted root CA
certificates.
> Having to rebuild rust-webpki-roots and everything that depends on it
> after every update of ca-certificates would be very annoying though.
>
> Probably rust-webpki-roots should be removed from Debian and replaced
> with something that loads the certs from ca-certificates at runtime.
This is a very non-trivial downstream patch though, the project I'm
trying to package runs in a sandbox and loading certificates from disk
at runtime is not possible without redesigning some things.
> As far as I can tell, nothing in Debian uses rust-webpki-roots, but on
> IRC, kpcyrd mentioned that they have projects that use webpki-roots,
> CCing them in order to get more info about that usage.
webpki-roots is an optional dependency of reqwest, see
librust-reqwest+webpki-roots-dev[1]. It's related to
webpki[2]/rustls[3], the later only got accepted into debian very
recently.
[1]: https://packages.debian.org/unstable/librust-reqwest+webpki-roots-dev
[2]: https://tracker.debian.org/pkg/rust-webpki
[3]: https://tracker.debian.org/pkg/rust-rustls
More information about the Pkg-rust-maintainers
mailing list