10:48:15 
 0.1, 
 02, 
 100] 
 h/aQnWVFcGRWlwaKfa@localhost 
 From: bunk@debian.org 
  
 -----BEGIN PGP SIGNED MESSAGE----- 
 Hash: SHA512 
  
 On Tue, Nov 04, 2025 at 07:22:43AM +0100, Ansgar 🙀 wrote: 
 > Hi Bunk, 
 > 
 > On Mon, 2025-11-03 at 23:59 +0200, Adrian Bunk wrote: 
 > > On Sun, Nov 02, 2025 at 01:08:06PM +0100, Joerg Jaspert wrote: 
 > > > ... 
 > > > I think that shouldn't be on one maintainers decision alone. 
 > > > ... 
 > > 
 > > In addition to that, discussion of relevant topics that would be part 
 > > of 
 > > any normal decision process is also missing. 
 > > 
 > > Like people tend to forget about [1]. 
 > > Has the Security team committed to change that in forky? 
 > > Has the Archive Operations Team committed to fixing their part of 
 > > that? 
 > > Is all tooling automatic enough that handling 1k binNMUs per 
 > > architecture as part of a DSA or point release wouldn't cause 
 > > problems? 
 > > Is anyone working on different binNMU version numbering in stable 
 > > releases? 
 > 
 > Have we stopped shipping Firefox yet? Or only provide it to users via 
 > snap? 
  
 IMHO providing Firefox (and Chromium) as Flatpak/Snap/... as Ubuntu is 
 doing is a better option than doing half a Flatpak manually, but both 
 options work. 
  
 Firefox is its own ecosystem, it vendors everything and (after a year in 
 stable) even uses a different copy of a Rust compiler. 
  
 > If not, we already seem to be able to provide security support for 
 > Rust-based software in stable. And that for software dealing with 
 > likely more hostile data/attacks than APT. 
  
 We are able to provide security support for Rust-based software when it 
 CVEs so frequently that we are doing a DSA with a new upstream version 
 every month. 
  
 > For ports: they can just use an ancient APT version indefinitely as 
 > they don't have any security support either way... 
  
 Are you speaking as member of the Archive Operations Team when 
 committing to keep Sources from ftp-master compatible with 
 ancient APT forever? 
  
 On Mon, Nov 03, 2025 at 11:59:46PM +0200, Adrian Bunk wrote: 
 > >... 
 > > sqv (used by apt in trixie) is already affected by this. 
 > > 
 > > It has been known and discussed for a decade that we are not setup for 
 > > security support of static-only ecosystems, and I do not have the 
 > > impression that the proponents of more Rust in Debian care about 
 > > security. 
 > >... 
  
 > Fighting bitter rearguard battles by using other teams that haven't 
 > (yet) done work required for more broad Rust support as pawns doesn't 
 > seem too helpful for me, but rather goes into the line of toxic 
 > behavior... 
  
 I hope apt in trixie is using sqv only on trusted contents. 
  
 The main selling point of Rust is that it avoids some classes of 
 vulnerabilities at the language level, but we are not setup to 
 automatically detect and handle it when published CVEs might 
 affect Rust programs like sqv. 
  
 > Ansgar 
  
 cu 
 Adrian 
 -----BEGIN PGP SIGNATURE----- 
  
 iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmkJ1lAACgkQiNJCh6LY 
 mLGGwA//X3rkO8VLBhzxoeelIqVwEZOLj7ewWYVsS54BZkYfzfao2Ovz/4qTgSpE 
 2hV9xM1Rvv7Dp6Cv/2fTw6VR1VdAW8kw27/Py+qpb1PacYFcDHb6QhpKNoNyrmwJ 
 NfF3zXtXjl3GUthAW2NhgcEZ1nvAZ/7b2Enx9BQcx05Kprizw9yCkU20vMkIS2zk 
 tugDzcuFts4G4vfcMpTCPcqbN+F1XMvbM+qlXFGsJixyHKC48RyReRaJPobkruwp 
 9TieO0u481NCL+4cg5OfvQTBHaTE0qgF2CLkFCBHd3dh81elvyIT0YH5f6O/wQos 
 TYgv/gCubzucoSmCdNpAooH4Dq4ng5Pe0vsnEPUWwnRhiieVyNs3/xpShT0VX2ID 
 QBvahsg/jyxBByU5uYl5OCUou1+o26a4iHg38cIbcI1/Nt7+GX+eik2Ksk7/tRLB 
 fzFhmNw2cVY/9/RhGOF/JHmm6Ln9/hzzu8JuAqDqPNfyUn3I28rJY8jI2MFRbR8R 
 yZJWRWdRlTXn8jR8q+dlN5haNhsD3rgO3NM906eWHnOJIM2XJCo7iJ5hXaCNgt9b 
 GvxkRE4PUYkPD9+ZE1+NXRJHj4h2aBXBK6iCZisPU/vCnzeG4nWFlD9IGeCwQYby 
 molw9XQ235QnlmUaiNo6J+K/n/4RiN4lTLO8anFZS63wyrNeYZM= 
 =67bO 
 -----END PGP SIGNATURE----- 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)