[Pkg-rust-maintainers] Bug#1012221: rust-stdweb-internal-macros (build-)depends on old version of rust-sha1.
Peter Green
plugwash at debian.org
Wed Jun 1 17:33:22 BST 2022
Package: rust-stdweb-internal-macros
Version: 0.2.9-1
Severity: serious
rust-stdweb-internal-macros depends on version 0.6 of rust-sha1
As I understand it the new version of rust-sha1 is a completely different
code base with the old rust-sha1 having been renamed to sha1-smol
stdweb appears to be unmaintained upstream https://rustsec.org/advisories/RUSTSEC-2020-0056.html
and has an open soundness issue https://github.com/koute/stdweb/issues/411
No applications in Debian appear to use stdweb, Nevertheless this issue
is blocking the migration of the new version of rust-sha1 to testing.
Thanks to the use of collapse_features in instant and parking-lot it is also
making the build-dependencies of debcargo unsatisfiable.
Possible ways forward:
1. Attempt to port stdweb to the rustcrypto version of sha1
2. Introduce a sha1-0.6 package
3. Package sha1-smol and patch stdweb to use it
4. Remove the stdweb features in instant and parking-lot and allow stdweb to be removed from testing.
Given the lack of upstream maintinance of stdweb i'm inclined towards
option 4, does anyone else have any opinions before I go ahead and do it?
More information about the Pkg-rust-maintainers
mailing list