On Mon, 08 Jun 2020 19:16:27 -0400 Harlan Lieberman-Berg wrote: > Package: cargo > Version: 0.43.1-3 > Severity: wishlist > > Hello fellow Rustaceans! > > Because cargo has a direct dependency on OpenSSL, it seems logical that we > should switch the priority of openssl and gnutls so Cargo, at least by > default, > isn't building against two different TLS implementations. > > This is especially important considering GnuTLS has had some painful security > incidents recently: CVE-2020-13777 in particular. > > Should just require switching the order of the libcurl dep in d/control.
Hi, took a look at this while going through bug backlog. Unfortunately it's not as easy - switching the direct cargo->gnutls dep around to use the openssl variant works, but - libgit2 pulls in mbedtls - curl itself pulls in gnutls and nettle (via librtmp1), even in the openssl variant if those are fixed at some point, switching over seems sensible. libgit2 is in the process of being replaced upstream with gix, but I suspect that will still take a while to be completed.