Bug 2177714

Summary: RUSTSEC-2021-0153: encoding is unmaintained
Product: [Fedora] Fedora Reporter: Fabio Valentini <decathorpe>
Component: rust-encodingAssignee: Rust SIG <rust-sig>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: decathorpe, rust-sig
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2214199, 2214200, 2214202, 2214206, 2214201    
Bug Blocks:    

Description Fabio Valentini 2023-03-13 13:17:28 UTC 
c.f. https://rustsec.org/advisories/RUSTSEC-2021-0153.html

The last release of the "encoding" crate was on 2016-08-28, and the last commit in the git repository of the project on GitHub was on 2017-07-11.

The "encoding_rs" crate is listed as a possible replacement.

The following Rust packages in Fedora depend on the "encoding" crate:

- librsvg2
- bat
- compress-tools
- lopdf
- tendril
- url (v1)

I plan to mark the "rust-encoding-devel" package with "Provides: deprecated()" to ensure no new packages in Fedora start depending on it, and will file additional bugs for all dependent packages.
Comment 1 Fabio Valentini 2023-06-12 09:49:57 UTC 
librsvg2 seems to have switched from the "encoding" to the "encoding_rs" crate since I filed this bug.
Comment 2 Fedora Release Engineering 2023-08-16 07:11:34 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.