c.f. https://rustsec.org/advisories/RUSTSEC-2021-0153.html The last release of the "encoding" crate was on 2016-08-28, and the last commit in the git repository of the project on GitHub was on 2017-07-11. The "encoding_rs" crate is listed as a possible replacement. The following Rust packages in Fedora depend on the "encoding" crate: - librsvg2 - bat - compress-tools - lopdf - tendril - url (v1) I plan to mark the "rust-encoding-devel" package with "Provides: deprecated()" to ensure no new packages in Fedora start depending on it, and will file additional bugs for all dependent packages.
librsvg2 seems to have switched from the "encoding" to the "encoding_rs" crate since I filed this bug.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.
bat and lopdf have moved away from the "encoding" crate as well. The remaining dependent packages are: - rust-compress-tools - rust-tendril - rust-url1
As far as I can tell, all users of the "encoding" crate have now dropped the dependency. As soon as I can verify this with a global repository query, I will retire the package in Rawhide.
I have confirmed that nothing depends on this crate any longer in Rawhide, and have just retired the package: https://src.fedoraproject.org/rpms/rust-encoding/c/f13ed4598de7d43ca209a44844d0207d54412fcc I will retire it in EPEL9 as well as soon as the required updates are stable.