To: dkg@fifthhorseman.net (Daniel Kahn Gillmor)
To: 1094422@bugs.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------CrCJoOObP8KdptR2GU26stwe
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, 28 Jan 2025 00:26:19 +0000 Peter Green <plugwash@debian.org> wrote:

Package: rust-serde-yml
Severity: serious

(I will be cloning this bug against rust-libyml once I have a bug number)

rust-serde-yml is a fork of rust-serde-yaml and rust-libyml is
a fork of rust-unsafe-libyaml.

Serious concerns have been raised about the quality of code in rust-serde-yml.

https://x.com/davidtolnay/status/1883906113428676938

https://www.reddit.com/r/rust/comments/1ibdxf9/beware_of_this_guy_making_slop_crates_with_ai/

Even worse concerns have been raised about code in rust-libyml

https://x.com/mycoliza/status/1883974721143980353

Furthermore the maintainer of these forks has disabled issue tracking
on the repositories, so these issues cannot be reported where someone
ie likely to see them.

I don't think these packages should be in a Debian release at this time.

As usual (#397761), BTS won't forward to Uploaders, so I'm doing it, partly because I needed them once for trippy.

Later trippy switched to TOML and ditched dependency on those. Now that nothing in Debian depends on libyml nor serde_yml (according to codesearch.d.n), I suggest we RM them.

--
Sdrager,
Blair Noctis

--------------CrCJoOObP8KdptR2GU26stwe--

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQScTWEJ927Sl0a/hB7sV97Kb1Pv6QUCZ6xFGAAKCRDsV97Kb1Pv 6VEgAP9q83gVKCJPX3PHW6GdgEcC24Hj7+8Ui6SW4VsDiGkfvQD/c8FKo88VNNLS G1Xr8xp7pG0UmhpXvF1paRY1M05UcQI=
=1PfB
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)