https://rustsec.org/advisories/RUSTSEC-2019-0031.html was issued to flag that rust-spin development stop. I suppose that means it should not enter bullseye / get removed.
This bug is currently one of several blockers for getting rust-cbindgen back into testing and thus making the build-dependencies of firefox-esr satisfiable again there.
Looking at the reverse dependencies (note: dak rm does not work for rust stuff, I'm guessing it lacks understanding of versioned provides). There seem to be two librust-ring-dev and librust-lazy-static+spin-dev librust-lazy-static+spin-dev does not seem to have any reverse dependencies. librust-ring-dev (or it's same-source rdeps) has reverse dependencies of librust-webpki-dev librust-trust-dns-proto+ring-dev librust-trust-dns-proto+dnssec-ring-dev librust-sct-dev librust-cookie+secure-dev and librust-cookie+ring-dev rust-webpki (or it's same-source rdeps) has reverse dependencies of librust-reqwest+webpki-roots-dev and librust-reqwest+rustls-tls-dev librust-trust-dns-proto+ring-dev and librust-trust-dns-proto+dnssec-ring-dev do not seem to have any reverse dependencies. librust-sct-dev does not seem to have any reverse dependencies librust-cookie+secure-dev and librust-cookie+ring-dev does not seem to have any reverse dependencies. rust-reqwest seems to be badly busted anyway and doesn't seem to be required for getting cbindgen back into testing So I see two possible ways forward here. 1. Downgrade this bug, decide that while abandonment obviously raises the possibility of unfixed security holes, this abandoned rust package is not that big a deal in the grand scheme of things. 2. Modify rust-lazy-static, rust-trust-dns-proto and rust-cookie to drop the featureset packages that depend (directly or indirectly) on librust-spin-dev
