[Pkg-rust-maintainers] Bug#972802: rust-webpki-roots: duplicates ca-certificates, remove from Debian?
Bastian Germann
bastiangermann at fishpost.de
Sat Oct 24 11:58:40 BST 2020
On Sat, 24 Oct 2020 11:50:14 +0800 Paul Wise <pabs at debian.org> wrote:
> On Sat, 2020-10-24 at 03:06 +0000, kpcyrd wrote:
>
> > Yes, running the build.py script would cause reproducible builds issues
> > because it's used to take snapshots of Mozilla's trusted root CA
> > certificates.
>
> Hmm, I assume that is because it would build from the current snapshot
> each time it is run?
>
> > This is a very non-trivial downstream patch though, the project I'm
> > trying to package runs in a sandbox and loading certificates from disk
> > at runtime is not possible without redesigning some things.
>
> One option to solve this would be to have src:rust-webpki-roots provide
> webpki-roots-build containing build.py and then have ca-certificates
> build-dep on webpki-roots, run build.py and build a binary package
> containing the generated rust code. That seems a bit ick though.
>
> Is there any chance of webpki/rustls upstream switching from embedding
> to runtime loading of certs like other TLS stacks do?
>
> > webpki-roots is an optional dependency of reqwest, see
> > librust-reqwest+webpki-roots-dev[1].
>
> It looks like this package needs rebuilding, because the binary package
> librust-webpki-roots-dev doesn't provide the virtual package named
> librust-webpki-roots-0.16+default-dev any more, which is probably why
> dak didn't know that something in Debian uses src:rust-webpki-roots.
>
> > It's related to webpki[2]/rustls[3], the later only got accepted
> > into debian very recently.
>
> These appear to be the websites for these two:
>
> https://briansmith.org/rustdoc/webpki/
> https://github.com/ctz/rustls
I packaged rustls and webpki-roots as preconditions for packaging
MesaLink. I will not pursue this project any longer; the reason for it
was #963699 which is not relevant anymore.
I am okay with removing both of these packages again. However, rustls is
a common package in Rust world and the Rust team might want to keep it.
More information about the Pkg-rust-maintainers
mailing list