Hi I'm slowly working my way towards packaging ripasso, which doesn't use ncurses-rs due to the above security problems. But it does use cursive ( https://crates.io/crates/cursive ) which have ncurses-rs as an optional dependency.
Currently the rust packaging system in debian requires all optional dependencies to be present in order to build the package. I have suggested to the cursive maintainer to remove ncurses-rs due to the above security concerns here ( https://github.com/gyscos/cursive/issues/488 ) but I suspect that this would be considered quite a disruptive change, I have also started to rewrite it to use ncursesw but haven't had the time/skill to finish that work yet. I'm not opposed to removing it, as that kind of unmaintained code with known security problems are exploits waiting to happen. But it would also require a lot of work to happen before we can package anything that depends on cursive into debian. best regards Alexander Kjäll Den ons 14 okt. 2020 kl 05:57 skrev peter green <plugw...@p10link.net>: > > I just looked at this issue. > > rust-ncurses is a thin wrapper around ncurses. It exposes unsafe (in the rust > sense) C > APIs to safe rust code. The rust security team consider this to be a > vulnerability. > > There is more discussion of this issue at > https://github.com/jeaye/ncurses-rs/issues/188 > the fix would be to mark most if not all of the functions exposed by the > library as > unsafe and release a new major version of the library. Any reverse > dependencies would > then need to be adapted to work with the new unsafe functions. The upstream > maintainer > has indicated they would be accepting of a pull request but is not interested > in doing > the work themselves. > > There is also another wrapper called ncursesw which seems to be better > maintained > and offers both low-level wrappers (correctly marked as unsafe) and > higher-level > wrappers (some of which are safe). It is not packaged in Debian. > > I looked to see what if-any packages in Debian use rust-ncurses and I did not > find > any in either buster, bullseye or sid. Is there a reason to keep this package > around? > > _______________________________________________ > Pkg-rust-maintainers mailing list > pkg-rust-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-rust-maintainers
