[Pkg-rust-maintainers] Bug#1017084: rust-chrono: please update to v0.4.21
Jonas Smedegaard
dr at jones.dk
Sat Aug 13 14:51:08 BST 2022
Quoting Peter Green (2022-08-13 15:33:21)
> >
> > ome reverse dependencies tightens dependency on chrono to v0.4.20 or
> > v0.4.21, apparently related to RUSTSEC advisory 2020-0159 (bug#996913).
>
> As I discussed in that bug report, while I understand why rustsec
> consider this a security issue (they treat all soundness bugs as security
> issues) I don't think it's particularly useful to characterise it as one
> downstream.
>
> > Please update to latest upstream release 0.4.21 to allow this security
> > tightening to take effect in Debian-packaged code.
>
> The new upstream version depends on the iana-time-zone crate, if/when
> someone packages that crate and it passes trough NEW, I am happy to
> update chrono.
Thanks for your input, Peter.
I don't really understand your last comment, however: I would expect
that the maintainer of a package considers packaging dependencies as
needed for maintaining the package - not just waiting idly for other to
do so.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20220813/c7929349/attachment.sig>
More information about the Pkg-rust-maintainers
mailing list