Comment 0 for bug 2003831

Revision history for this message
Bryce Harrington (bryce) wrote :

node-trust-webcrypto and node-solid-keychain block the nodejs transition.

node-trust-webcrypto is a dependency of node-solid-keychain, but nothing else appears to depend on them in lunar:

  $ apt-cache rdepends node-trust-webcrypto
  node-trust-webcrypto
  Reverse Depends:
    node-solid-keychain
  $ apt-cache rdepends node-solid-keychain
  node-solid-keychain
  Reverse Depends:

Both of these are also failing Debian CI, with the same errors in test logs. Neither of these have had a release in a while, and they appear to be unmaintained. node-solid-keychain has been moved upstream out of the @solid/ namespace to @solid-contrib/ which seems to be causing its autopkgtest failures.

node-trust-webcrypto's upstream in particular includes an archiving notice:

https://github.com/anvilresearch/webcrypto/commit/210653f1bee449fec86214dc2fa4258fff775b4c

"# NOTICE # We’re archiving Anvil Connect and all related packages. This code is entirely MIT Licensed. You’re free to do with it what you want. That said, we are recommending _**against**_ using it, due to the potential for security issues arising from unmaintained software. For more information, see the announcement at [anvil.io](https://anvil.io)."

This seems a convincing point to me for removal of these two packages from the archive. As an unmaintained and out of date crypto package, users relying on it could be exposed to security issues that don't look likely to ever be addressed.