[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hard Rust requirements from May onward

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, Nov 04, 2025 at 07:22:43AM +0100, Ansgar 🙀 wrote:
> Hi Bunk,
> 
> On Mon, 2025-11-03 at 23:59 +0200, Adrian Bunk wrote:
> > On Sun, Nov 02, 2025 at 01:08:06PM +0100, Joerg Jaspert wrote:
> > > ...
> > > I think that shouldn't be on one maintainers decision alone.
> > > ...
> > 
> > In addition to that, discussion of relevant topics that would be part
> > of 
> > any normal decision process is also missing.
> > 
> > Like people tend to forget about [1].
> > Has the Security team committed to change that in forky?
> > Has the Archive Operations Team committed to fixing their part of
> > that?
> > Is all tooling automatic enough that handling 1k binNMUs per
> > architecture as part of a DSA or point release wouldn't cause
> > problems?
> > Is anyone working on different binNMU version numbering in stable
> > releases?
> 
> Have we stopped shipping Firefox yet? Or only provide it to users via
> snap?

IMHO providing Firefox (and Chromium) as Flatpak/Snap/... as Ubuntu is  
doing is a better option than doing half a Flatpak manually, but both
options work.

Firefox is its own ecosystem, it vendors everything and (after a year in 
stable) even uses a different copy of a Rust compiler.

> If not, we already seem to be able to provide security support for
> Rust-based software in stable. And that for software dealing with
> likely more hostile data/attacks than APT.

We are able to provide security support for Rust-based software when it 
CVEs so frequently that we are doing a DSA with a new upstream version 
every month.

> For ports: they can just use an ancient APT version indefinitely as
> they don't have any security support either way...

Are you speaking as member of the Archive Operations Team when
committing to keep Sources from ftp-master compatible with
ancient APT forever?

On Mon, Nov 03, 2025 at 11:59:46PM +0200, Adrian Bunk wrote:
> >...
> > sqv (used by apt in trixie) is already affected by this.
> >
> > It has been known and discussed for a decade that we are not setup for
> > security support of static-only ecosystems, and I do not have the
> > impression that the proponents of more Rust in Debian care about
> > security.
> >...

> Fighting bitter rearguard battles by using other teams that haven't
> (yet) done work required for more broad Rust support as pawns doesn't
> seem too helpful for me, but rather goes into the line of toxic
> behavior...

I hope apt in trixie is using sqv only on trusted contents.</sarcasm>

The main selling point of Rust is that it avoids some classes of 
vulnerabilities at the language level, but we are not setup to 
automatically detect and handle it when published CVEs might
affect Rust programs like sqv.

> Ansgar

cu
Adrian
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmkJ1lAACgkQiNJCh6LY
mLGGwA//X3rkO8VLBhzxoeelIqVwEZOLj7ewWYVsS54BZkYfzfao2Ovz/4qTgSpE
2hV9xM1Rvv7Dp6Cv/2fTw6VR1VdAW8kw27/Py+qpb1PacYFcDHb6QhpKNoNyrmwJ
NfF3zXtXjl3GUthAW2NhgcEZ1nvAZ/7b2Enx9BQcx05Kprizw9yCkU20vMkIS2zk
tugDzcuFts4G4vfcMpTCPcqbN+F1XMvbM+qlXFGsJixyHKC48RyReRaJPobkruwp
9TieO0u481NCL+4cg5OfvQTBHaTE0qgF2CLkFCBHd3dh81elvyIT0YH5f6O/wQos
TYgv/gCubzucoSmCdNpAooH4Dq4ng5Pe0vsnEPUWwnRhiieVyNs3/xpShT0VX2ID
QBvahsg/jyxBByU5uYl5OCUou1+o26a4iHg38cIbcI1/Nt7+GX+eik2Ksk7/tRLB
fzFhmNw2cVY/9/RhGOF/JHmm6Ln9/hzzu8JuAqDqPNfyUn3I28rJY8jI2MFRbR8R
yZJWRWdRlTXn8jR8q+dlN5haNhsD3rgO3NM906eWHnOJIM2XJCo7iJ5hXaCNgt9b
GvxkRE4PUYkPD9+ZE1+NXRJHj4h2aBXBK6iCZisPU/vCnzeG4nWFlD9IGeCwQYby
molw9XQ235QnlmUaiNo6J+K/n/4RiN4lTLO8anFZS63wyrNeYZM=
=67bO
-----END PGP SIGNATURE-----
Reply to: