[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hard Rust requirements from May onward

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, Nov 04, 2025 at 08:01:53PM +0900, Simon Richter wrote:
> Hi,

Hi Simon,

> On 11/4/25 7:32 PM, Adrian Bunk wrote:
> 
> > The main selling point of Rust is that it avoids some classes of
> > vulnerabilities at the language level, but we are not setup to
> > automatically detect and handle it when published CVEs might
> > affect Rust programs like sqv.
> 
> I think we need to create infrastructure for that anyway -- there's lots of
> C++ programs with similarly sloppy dependency management now, especially
> anything using dear imgui and shipping twenty copies of stb -- in that
> ecosystem it is completely normal to ship a library as source code that
> needs to be compiled with a configuration header on the include path, and
> Rust code is refreshingly sensible compared to that.

the ecosystem you mention is far more fringe in Debian than apt/sqv.

We try hard to avoid using vendored copies of C/C++ libraries,
and static linking is rare in the C++ ecosystem.
The result is not 100%, but it tends to cover most packages that
are important in Debian or might have CVEs.

Due to growing upstream usage of Rust we do not really have a choice at 
this point other than creating infrastructure that enables rebuilding a 
4 digit number of packages in a stable release after a CVE fix in 
src:rustc, and then Static-Built-Using could also be used for covering 
packages using imgui.

My main grievance here is that the proponents of using Rust in Debian 
even in core components do not seem to care about the well-known fact 
that proper security support for the Rust ecosystem is not available in 
Debian today - but they do use (also in the start of this thread) 
security as the selling point for using Rust.

When even the proponents of more Rust usage in Debian do not care about 
security support for the Rust ecosystem and doing the necessary work, 
how will that ever happen?

>    Simon

cu
Adrian
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmkJ65QACgkQiNJCh6LY
mLFuLQ//QQUEP5g1YfesvQoM+oBmEhb7RwGESQEUiKs5WAb+tffdbGHkh7ifwziq
PX8PoJMv0i6uZXAA107+raqLyptj0s4i9w34+D6wWt7EwDFfmlbyQgjeKDkQP3x/
QoKVMpyvr+g/9ujNEsSYqCPGHUvyqKZDcq+CqqxpBVVoKFtDyhz/J8GGnc2MhSZi
S4b7ibNSFN4xnuBpovOQd0rXN1bd5atoit0qxLm/N9fJ1U+8qM4EFLwskHR3r2x7
xckx4JafJfou1aYXA54XyQ1zB/6vXcS0hJerORCT+4CosDaFSaUm2YxjMgWWgRR6
dRg5p2Xb7lMiZSZMWNG3o8b4y8xUr7ZUgdWK3bWgdE0ITHEMnpEU4Dfv7eobANOs
aYolBEyr2HhKL8NsIlxQBuNJqzhaVp/qIBdMpr76wYMvpzxSadW/FS9qCCkCUbdb
0LYW4RF+6encIt62aXumc186OM+GtCqqAQoDk7WiQHrMMBYXkD8cKbU1vgrDm17n
wMo5HrMsWvaRyr7z1CHR8zdip3MrAUvwD3UBh03IW5PGNyIzAfUwx6zTWtC/FvXO
ZzUEKLFkUhqoQOsj7j+Dh8X23mLQMBt5B7VCIt4MEzUURBSXLyGYSeu/n5OGkmVN
5nual0xbSd/rW+xmiC5Fj/nczuh9mg8rDG/vZwhdQcQrxAsntUM=
=ASfg
-----END PGP SIGNATURE-----
Reply to: