On Sat, 24 Oct 2020 11:50:14 +0800 Paul Wise <p...@debian.org> wrote:
On Sat, 2020-10-24 at 03:06 +0000, kpcyrd wrote:
> Yes, running the build.py script would cause reproducible builds issues
> because it's used to take snapshots of Mozilla's trusted root CA
> certificates.
Hmm, I assume that is because it would build from the current snapshot
each time it is run?
> This is a very non-trivial downstream patch though, the project I'm
> trying to package runs in a sandbox and loading certificates from disk
> at runtime is not possible without redesigning some things.
One option to solve this would be to have src:rust-webpki-roots provide
webpki-roots-build containing build.py and then have ca-certificates
build-dep on webpki-roots, run build.py and build a binary package
containing the generated rust code. That seems a bit ick though.
Is there any chance of webpki/rustls upstream switching from embedding
to runtime loading of certs like other TLS stacks do?
> webpki-roots is an optional dependency of reqwest, see
> librust-reqwest+webpki-roots-dev[1].
It looks like this package needs rebuilding, because the binary package
librust-webpki-roots-dev doesn't provide the virtual package named
librust-webpki-roots-0.16+default-dev any more, which is probably why
dak didn't know that something in Debian uses src:rust-webpki-roots.
> It's related to webpki[2]/rustls[3], the later only got accepted
> into debian very recently.
These appear to be the websites for these two:
https://briansmith.org/rustdoc/webpki/
https://github.com/ctz/rustls
I packaged rustls and webpki-roots as preconditions for packaging
MesaLink. I will not pursue this project any longer; the reason for it
was #963699 which is not relevant anymore.
I am okay with removing both of these packages again. However, rustls is
a common package in Rust world and the Rust team might want to keep it.