Bug#1012221: marked as done (rust-stdweb-internal-macros (build-)depends on old version of rust-sha1.)

Thu, 02 Jun 2022 05:33:18 -0700 

Your message dated Thu, 2 Jun 2022 14:29:45 +0200
with message-id <0c531c04-c678-052c-9309-7e28447ef...@debian.org>
and subject line Re: [Pkg-rust-maintainers] Bug#1012221: 
rust-stdweb-internal-macros (build-)depends on old version of rust-sha1.
has caused the Debian Bug report #1012221,
regarding rust-stdweb-internal-macros (build-)depends on old version of 
rust-sha1.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1012221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012221
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: rust-stdweb-internal-macros
Version: 0.2.9-1
Severity: serious

rust-stdweb-internal-macros depends on version 0.6 of rust-sha1

As I understand it the new version of rust-sha1 is a completely different
code base with the old rust-sha1 having been renamed to sha1-smol

stdweb appears to be unmaintained upstream 
https://rustsec.org/advisories/RUSTSEC-2020-0056.html
and has an open soundness issue https://github.com/koute/stdweb/issues/411

No applications in Debian appear to use stdweb, Nevertheless this issue
is blocking the migration of the new version of rust-sha1 to testing.
Thanks to the use of collapse_features in instant and parking-lot it is also
making the build-dependencies of debcargo unsatisfiable.

Possible ways forward:

1. Attempt to port stdweb to the rustcrypto version of sha1
2. Introduce a sha1-0.6 package
3. Package sha1-smol and patch stdweb to use it
4. Remove the stdweb features in instant and parking-lot and allow stdweb to be 
removed from testing.

Given the lack of upstream maintinance of stdweb i'm inclined towards
option 4, does anyone else have any opinions before I go ahead and do it?

--- End Message ---
--- Begin Message --- 
fixed 1012221
thanks

Le 01/06/2022 à 18:33, Peter Green a écrit :

Package: rust-stdweb-internal-macros
Version: 0.2.9-1
Severity: serious

4. Remove the stdweb features in instant and parking-lot and allow stdweb to be 
removed from testing.


I think I implemented this solution.

I opened #1012261 for the removal of the packages.

Cheers,
Sylvestre

--- End Message ---

Reply via email to