[Pkg-rust-maintainers] Bug#972802: rust-webpki-roots: duplicates ca-certificates, remove from Debian?

[Paul Wise]

On Sat, 2020-10-24 at 03:06 +0000, kpcyrd wrote:

> Yes, running the build.py script would cause reproducible builds issues
> because it's used to take snapshots of Mozilla's trusted root CA
> certificates.

Hmm, I assume that is because it would build from the current snapshot
each time it is run? 

> This is a very non-trivial downstream patch though, the project I'm
> trying to package runs in a sandbox and loading certificates from disk
> at runtime is not possible without redesigning some things.

One option to solve this would be to have src:rust-webpki-roots provide
webpki-roots-build containing build.py and then have ca-certificates
build-dep on webpki-roots, run build.py and build a binary package
containing the generated rust code. That seems a bit ick though.

Is there any chance of webpki/rustls upstream switching from embedding
to runtime loading of certs like other TLS stacks do?

> webpki-roots is an optional dependency of reqwest, see
> librust-reqwest+webpki-roots-dev[1].

It looks like this package needs rebuilding, because the binary package
librust-webpki-roots-dev doesn't provide the virtual package named
librust-webpki-roots-0.16+default-dev any more, which is probably why
dak didn't know that something in Debian uses src:rust-webpki-roots.

>  It's related to webpki[2]/rustls[3], the later only got accepted
> into debian very recently.

These appear to be the websites for these two:

https://briansmith.org/rustdoc/webpki/
https://github.com/ctz/rustls

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20201024/74d86589/attachment.sig>