On Sun, Jan 29, 2023 at 04:28:54AM +0000, Peter Michael Green wrote: > Package: pushpin > Version: 1.36.0-1 > Severity: serious > > The new version of pushpin added a dependency on jsonwebtoken, > unfortunately jsonwebtoken depends in ring, which is only available > on x86* and arm*. There is work upstream to make ring more > portable but it seems unlikely to feature in a stable release before > the bookworm freeze. > > Not sure what can be done about this, I tried reverting the > upstream commit in question using a Debian patch, but it did not > seem to revert cleanly.
While I'm a huge fan of portable packages, I think in this case it's better to just restrict the list of available architectures. I doubt pushpin is actively used on any other architecture than amd64, in practice. Doing heavy changes to make pushpin portable to architectures which don't provide ring may introduce bugs, even security issues, which would affect users on all architectures. So I'd say we should remove pushpin from the archive for all architectures where librust-ring-0.16+default-dev is not available.
