package: rust-sequoia-keystore-openpgp-card hi,
quoting from #debian-rust with the permission of everyone involved: * | h01ger wonders how to get rust-rsa into trixie <ncts[m]> what for? there's a security advisory with no fix <h01ger> its needed for https://tracker.debian.org/pkg/rust-sequoia-keystore-openpgp-card <ncts[m]> it might be feasible to drop rsa support on debian side, or if not, convince security team it's not really that big a problem <kpcyrd> | h01ger: I think you can reconfigure sequoia to use a different crypto backend, that's how I got repro-env into the testing repos * | h01ger nods, thanks <kpcyrd> | h01ger: the relevant upstream bug for the `rsa` crate is https://github.com/RustCrypto/RSA/issues/19 fe2o3bot- | (#debian-rust) "modpow implementation is not constant-time" (open) - https://github.com/RustCrypto/RSA/issues/19 <kpcyrd> for completeness sake, this is the relevant Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057096 and it has been mentioned on the mailing list in August https://lists.debian.org/debian-rust/2024/08/msg00017.html because `rsa` also blocks `rust-pyo3` through `sqlx` and `sqlx-mysql` fe2o3bot- | (#debian-rust) "pyo3 debversion, sqlx and rsa crates." - https://lists.debian.org/debian-rust/2024/08/msg00017.html zwiebelbot- | (#debian-rust) Debian#1057096: rust-rsa: CVE-2023-49092: RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels - https://bugs.debian.org/1057096 <kpcyrd> I think it'd be a good place for open source funding magic to happen * | h01ger sets #1057096 forwarded to https://github.com/RustCrypto/RSA/issues/19 fe2o3bot- | (#debian-rust) "modpow implementation is not constant-time" (open) - https://github.com/RustCrypto/RSA/issues/19 <kpcyrd> all the crypto people I know are either busy and/or I'm out of favors <capitol> | h01ger: i have hardcoded sequoia to use the nettle backend in debian <capitol> | h01ger: we could de-hardcode it, but that would require us to manually tweak the autopkgtests that are generated and that was a bigger pain <h01ger> capitol: "i have hardcoded sequoia to use the nettle backend in debian" - i dont understand: why is sequoia-keystore-openpgp-card then depending on -rsa? (and the others apperantly not?) <ncts[m]> they probably meant the "main" sequoia crates? k-o-card OTOH directly uses rsa in code <capitol> | h01ger: right, that was a bit unclear, I meant that many of the sequoia crates have patches like these: https://salsa.debian.org/rust-team/debcargo-conf/-/blob/master/src/sequoia-ipc/debian/patches/enable-nettle.patch?ref_type=heads <capitol> | h01ger: the rsa dependency seems to be a direct dependency https://crates.io/crates/sequoia-keystore-openpgp-card/0.1.0/dependencies <capitol> that makes it more tricky :/ -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ The wrong Amazon is burning.
signature.asc
Description: PGP signature
