pyo3 debversion, sqlx and rsa crates.

To: debian-rust@lists.debian.org, jelmer@debian.org
Subject: pyo3 debversion, sqlx and rsa crates.
From: Peter Green <plugwash@debian.org>
Date: Thu, 8 Aug 2024 01:33:26 +0100
Message-id: <[🔎] 3b90864b-150e-4a2c-bd9d-281d9b4ba89c@debian.org>

Currently the new version of rust-pyo3 is blocked from migrating to testing
by rust-debversion, rust-debversion is blocked by rust-sqlx, which is blocked
by rust-sqlx-mysql which is blocked by rust-rsa.

rust-rsa has a security issue filed about a timing attack, which seems to be
taking a very long time to fix. It seems the issue was initially filed as a
bug in 2019! but did not get reported to rustsec until november 2023, it's
now august 2024 and it's still not fixed.

In may 2024, to avoid applications getting removed from testing, I patched
rust-debversion to disable support for rust-sqlx. However it was re-enabled
by jelmer in version 0.4.1-1. No comment was made about this in the chagelog
or commit message so I don't know if this change was intentional or
inadvertant.

I see the following possibilities for moving forward.

1. Disable sqlx support
2. Disable mysql support in sqlx
3. Convince the sqlx maintainers that they should switch to a different RSA
   implementation.
4. Decide that the security bug is not rc after all.

Reply to:

Follow-Ups:
- Re: pyo3 debversion, sqlx and rsa crates.
  - From: Blair Noctis <n@sail.ng>

Prev by Date: Re: RFP: fragments -- GNOME BitTorrent client
Next by Date: Bug#1078453: dh-cargo: cargo-auto-test fails to remove color codes on debci
Previous by thread: Re: RFP: fragments -- GNOME BitTorrent client
Next by thread: Re: pyo3 debversion, sqlx and rsa crates.
Index(es):
- Date
- Thread