Dear maintainer, When the Rust bindings for libbz2 are built, the build framework tries to locate libz2 via pkg-config, but when that fails, a vendored copy of libbz2 is compiled and statically linked into the resulting artifact.
This is unfortunate, because the Debian policy advises against using source copies. https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies Sequoia, an implementation of OpenPGP, rely on the Rust bindings for libbz2. There are two reasons for why I wish builds of Sequoia would use the distribution's libbz2 on Debian (like they do on Fedora, for example): First, compressed OpenPGP messages are usually first signed, then compressed, then encrypted. So, when decrypting a message, it is fed to the decompression library before it is authenticated. Therefore, we need to assume that attacker-controlled material is fed to the library, and as such it is of the utmost importance that libbz2 is secure and kept up-to-date. Having a source copy of libbz2 makes it less likely that any security updates are applied to it. Second, statically linking in libbz2 increases the size of our binaries, and this has been held against us. Please ship a pkg-config definition for libbz2. Best, Justus
signature.asc
Description: PGP signature
