On Sat, 2020-10-24 at 03:06 +0000, kpcyrd wrote: > Yes, running the build.py script would cause reproducible builds issues > because it's used to take snapshots of Mozilla's trusted root CA > certificates.
Hmm, I assume that is because it would build from the current snapshot each time it is run? > This is a very non-trivial downstream patch though, the project I'm > trying to package runs in a sandbox and loading certificates from disk > at runtime is not possible without redesigning some things. One option to solve this would be to have src:rust-webpki-roots provide webpki-roots-build containing build.py and then have ca-certificates build-dep on webpki-roots, run build.py and build a binary package containing the generated rust code. That seems a bit ick though. Is there any chance of webpki/rustls upstream switching from embedding to runtime loading of certs like other TLS stacks do? > webpki-roots is an optional dependency of reqwest, see > librust-reqwest+webpki-roots-dev[1]. It looks like this package needs rebuilding, because the binary package librust-webpki-roots-dev doesn't provide the virtual package named librust-webpki-roots-0.16+default-dev any more, which is probably why dak didn't know that something in Debian uses src:rust-webpki-roots. > It's related to webpki[2]/rustls[3], the later only got accepted > into debian very recently. These appear to be the websites for these two: https://briansmith.org/rustdoc/webpki/ https://github.com/ctz/rustls -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
