12:21:11 
 0.1, 
 UNPARSEABLE_RELAY=0. 
 autolearn= 
 h/aQnrlBEkYV/+jxJi@localhost 
 From: bunk@debian.org 
  
 -----BEGIN PGP SIGNED MESSAGE----- 
 Hash: SHA512 
  
 On Tue, Nov 04, 2025 at 08:01:53PM +0900, Simon Richter wrote: 
 > Hi, 
  
 Hi Simon, 
  
 > On 11/4/25 7:32 PM, Adrian Bunk wrote: 
 > 
 > > The main selling point of Rust is that it avoids some classes of 
 > > vulnerabilities at the language level, but we are not setup to 
 > > automatically detect and handle it when published CVEs might 
 > > affect Rust programs like sqv. 
 > 
 > I think we need to create infrastructure for that anyway -- there's lots of 
 > C++ programs with similarly sloppy dependency management now, especially 
 > anything using dear imgui and shipping twenty copies of stb -- in that 
 > ecosystem it is completely normal to ship a library as source code that 
 > needs to be compiled with a configuration header on the include path, and 
 > Rust code is refreshingly sensible compared to that. 
  
 the ecosystem you mention is far more fringe in Debian than apt/sqv. 
  
 We try hard to avoid using vendored copies of C/C++ libraries, 
 and static linking is rare in the C++ ecosystem. 
 The result is not 100%, but it tends to cover most packages that 
 are important in Debian or might have CVEs. 
  
 Due to growing upstream usage of Rust we do not really have a choice at 
 this point other than creating infrastructure that enables rebuilding a 
 4 digit number of packages in a stable release after a CVE fix in 
 src:rustc, and then Static-Built-Using could also be used for covering 
 packages using imgui. 
  
 My main grievance here is that the proponents of using Rust in Debian 
 even in core components do not seem to care about the well-known fact 
 that proper security support for the Rust ecosystem is not available in 
 Debian today - but they do use (also in the start of this thread) 
 security as the selling point for using Rust. 
  
 When even the proponents of more Rust usage in Debian do not care about 
 security support for the Rust ecosystem and doing the necessary work, 
 how will that ever happen? 
  
 >    Simon 
  
 cu 
 Adrian 
 -----BEGIN PGP SIGNATURE----- 
  
 iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmkJ65QACgkQiNJCh6LY 
 mLFuLQ//QQUEP5g1YfesvQoM+oBmEhb7RwGESQEUiKs5WAb+tffdbGHkh7ifwziq 
 PX8PoJMv0i6uZXAA107+raqLyptj0s4i9w34+D6wWt7EwDFfmlbyQgjeKDkQP3x/ 
 QoKVMpyvr+g/9ujNEsSYqCPGHUvyqKZDcq+CqqxpBVVoKFtDyhz/J8GGnc2MhSZi 
 S4b7ibNSFN4xnuBpovOQd0rXN1bd5atoit0qxLm/N9fJ1U+8qM4EFLwskHR3r2x7 
 xckx4JafJfou1aYXA54XyQ1zB/6vXcS0hJerORCT+4CosDaFSaUm2YxjMgWWgRR6 
 dRg5p2Xb7lMiZSZMWNG3o8b4y8xUr7ZUgdWK3bWgdE0ITHEMnpEU4Dfv7eobANOs 
 aYolBEyr2HhKL8NsIlxQBuNJqzhaVp/qIBdMpr76wYMvpzxSadW/FS9qCCkCUbdb 
 0LYW4RF+6encIt62aXumc186OM+GtCqqAQoDk7WiQHrMMBYXkD8cKbU1vgrDm17n 
 wMo5HrMsWvaRyr7z1CHR8zdip3MrAUvwD3UBh03IW5PGNyIzAfUwx6zTWtC/FvXO 
 ZzUEKLFkUhqoQOsj7j+Dh8X23mLQMBt5B7VCIt4MEzUURBSXLyGYSeu/n5OGkmVN 
 5nual0xbSd/rW+xmiC5Fj/nczuh9mg8rDG/vZwhdQcQrxAsntUM= 
 =ASfg 
 -----END PGP SIGNATURE----- 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)