Package: rust-stdweb-internal-macros Version: 0.2.9-1 Severity: serious
rust-stdweb-internal-macros depends on version 0.6 of rust-sha1 As I understand it the new version of rust-sha1 is a completely different code base with the old rust-sha1 having been renamed to sha1-smol stdweb appears to be unmaintained upstream https://rustsec.org/advisories/RUSTSEC-2020-0056.html and has an open soundness issue https://github.com/koute/stdweb/issues/411 No applications in Debian appear to use stdweb, Nevertheless this issue is blocking the migration of the new version of rust-sha1 to testing. Thanks to the use of collapse_features in instant and parking-lot it is also making the build-dependencies of debcargo unsatisfiable. Possible ways forward: 1. Attempt to port stdweb to the rustcrypto version of sha1 2. Introduce a sha1-0.6 package 3. Package sha1-smol and patch stdweb to use it 4. Remove the stdweb features in instant and parking-lot and allow stdweb to be removed from testing. Given the lack of upstream maintinance of stdweb i'm inclined towards option 4, does anyone else have any opinions before I go ahead and do it?
