[Pkg-rust-maintainers] Bug#1084118: rust-sequoia-keystore-openpgp-card: migration to trixie blocked by rust-rsa

Holger Levsen holger at layer-acht.org
Sat Oct 5 12:09:06 BST 2024 

package: rust-sequoia-keystore-openpgp-card

hi,

quoting from #debian-rust with the permission of everyone involved:

 * | h01ger wonders how to get rust-rsa into trixie
<ncts[m]> what for? there's a security advisory with no fix
<h01ger> its needed for https://tracker.debian.org/pkg/rust-sequoia-keystore-openpgp-card
<ncts[m]> it might be feasible to drop rsa support on debian side, or if not, convince security team it's not really that big a problem
<kpcyrd> | h01ger: I think you can reconfigure sequoia to use a different crypto backend, that's how I got repro-env into the testing repos
  * | h01ger nods, thanks
<kpcyrd> | h01ger: the relevant upstream bug for the `rsa` crate is https://github.com/RustCrypto/RSA/issues/19
fe2o3bot- | (#debian-rust) "modpow implementation is not constant-time" (open) - https://github.com/RustCrypto/RSA/issues/19
<kpcyrd> for completeness sake, this is the relevant Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057096 and it has been mentioned on the mailing list in August https://lists.debian.org/debian-rust/2024/08/msg00017.html because `rsa` also blocks `rust-pyo3` through `sqlx` and `sqlx-mysql`
fe2o3bot- | (#debian-rust) "pyo3 debversion, sqlx and rsa crates." - https://lists.debian.org/debian-rust/2024/08/msg00017.html
zwiebelbot- | (#debian-rust) Debian#1057096: rust-rsa: CVE-2023-49092: RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels - https://bugs.debian.org/1057096
<kpcyrd> I think it'd be a good place for open source funding magic to happen
 * | h01ger sets #1057096 forwarded to https://github.com/RustCrypto/RSA/issues/19
fe2o3bot- | (#debian-rust) "modpow implementation is not constant-time" (open) - https://github.com/RustCrypto/RSA/issues/19
<kpcyrd> all the crypto people I know are either busy and/or I'm out of favors
<capitol> | h01ger: i have hardcoded sequoia to use the nettle backend in debian
<capitol> | h01ger: we could de-hardcode it, but that would require us to manually tweak the autopkgtests that are generated and that was a bigger pain
<h01ger> capitol: "i have hardcoded sequoia to use the nettle backend in debian" - i dont understand: why is sequoia-keystore-openpgp-card then depending on -rsa? (and the others apperantly not?)
<ncts[m]> they probably meant the "main" sequoia crates? k-o-card OTOH directly uses rsa in code
<capitol> | h01ger: right, that was a bit unclear, I meant that many of the sequoia crates have patches like these: https://salsa.debian.org/rust-team/debcargo-conf/-/blob/master/src/sequoia-ipc/debian/patches/enable-nettle.patch?ref_type=heads
<capitol> | h01ger: the rsa dependency seems to be a direct dependency https://crates.io/crates/sequoia-keystore-openpgp-card/0.1.0/dependencies
<capitol> that makes it more tricky :/


-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The wrong Amazon is burning.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20241005/5c0b8e7e/attachment.sig>

More information about the Pkg-rust-maintainers mailing list