1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1103833: [Pkg-rust-maintainers] Bug#1103833: rust-protobuf: CVE-202

    From NoisyCoil@21:1/5 to Jonas Smedegaard on Fri Apr 25 20:40:01 2025
    On 25/04/25 07:05, Jonas Smedegaard wrote:
    Scaphande is now (pending upload) patched to no longer build-depend on
    the protobuf crate. Turns out it was optional and already unused for
    other reasons (will file a bug about that upstream).

    Thanks Jonas!

    As for erbium (via erbium-core), it looks like the functionality it uses
    from prometheus (mostly DNS and DHCP) is independent of Protocol
    Buffers, and decoupling prometheus from protobuf can be done without erbium-core FTBFS. So if we're ok with removing protobuf-codegen we
    should be able to remove protobuf v2 and reintroduce v3 in forky when we
    need it.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From NoisyCoil@21:1/5 to All on Sat Apr 26 16:40:01 2025
    I decoupled handlebars from the rest and filed [1] to also decouple
    prometheus: erbium (its only (transitive) reverse dependency
    application) doesn't use protobuf's functionality. This however is not a
    small change, so it needs consensus from the team (hence the MR). Pros
    and cons are detailed in [1].


    [1] https://salsa.debian.org/rust-team/debcargo-conf/-/merge_requests/898

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)