Bug#1061577: Naming of non-crates.io packages in Debian (was: Re: Processed: retitle 1061577 to rust-io: RUSTSEC-2020-0021…)

Fri, 01 Mar 2024 12:51:17 -0800 

On Wed, 28 Feb 2024 23:27:20 +0100 Jonas Smedegaard <d...@jones.dk> wrote:
> Quoting Debian Bug Tracking System (2024-01-27 09:42:03)
> > Processing commands for cont...@bugs.debian.org:
> > 
> > > retitle 1061577 rust-io: RUSTSEC-2020-0021: CVE-2020-35876: 
> > > use-after-free buffer access when a future is leaked
> > Bug #1061577 [src:rust-rio] rust-rio: use-after-free buffer access when a 
> > future is leaked
> > Changed Bug title to 'rust-io: RUSTSEC-2020-0021: CVE-2020-35876: 
> > use-after-free buffer access when a future is leaked' from 'rust-rio: 
> > use-after-free buffer access when a future is leaked'.
> > > thanks
> > Stopping processing here.
> 
> The Debian source package src:rust-rio does *not* contain the Rust crate
> rio.  That Rust crate originates from Github repository "sacejam/rio",
> whereas the Debian package originates from different Github repository
> "oxigrah/rio" which contains Rust crates rio_api, rio_turtle and
> rio_xml.
> 
> Closing as a non-bug.
> 
>  - Jonas
> 
> -- 
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>  * Sponsorship: https://ko-fi.com/drjones
> 
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private

Jonas: you may want to check your keyboard for the P key ;) It's missing from
both repository name specifiers.

That aside, the package you uploaded as src:rust-rio is actually a combination
of crates.io packages rio_api, rio_turtle, and rio_xml. Despite the upstream
repository being named rio, it ("a low level library which provides conformant
and fast parsers and formatters for RDF related file formats") is very different
from the crates.io package rio, "bindings for io_uring".

As a convention in the Rust ecosystem, a crate name alone refers to crate
published on crates.io with that name. So rio means crates.io/crates/rio, the
io_uring bindings package, not the RDF thing(s). The src:rust-* namespace
currently follows that convention. It's rather confusing that src:rust-rio isn't
the io_uring one, regardless of packaging practices. Please consider using a
more descriptive or namespaced name. It may be a good chance to discuss about
naming of non-crates.io packages in Debian, thus sending to debian-rust.

-- 
Sdrager,
Blair Noctis

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to