`rustls-pemfile` is archived

[abs0luty]

A recent CI run reports that rustls-pemfile is now flagged as unmaintained. The lockfile shows version 2.1.2 and the advisory RUSTSEC-2025-0134 states that the crate has been archived since August 2025:

error[unmaintained]: rustls-pemfile is unmaintained
    ┌─ /home/runner/work/gleam/gleam/Cargo.lock:254:1
    │
254 │ rustls-pemfile 2.1.2 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
    │
    ├ ID: RUSTSEC-2025-0134
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0134
    ├ The rustls-pemfile crate is no longer maintained. The repository has been archived since August
      2025, and users are encouraged to depend directly on the underlying PEM parsing code included
      in rustls-pki-types since 1.9.0. The latest version of rustls-pemfile is in fact a thin wrapper
      around the same code used in rustls-pki-types, so migrating should be straightforward.
      
      The new API is represented by the [`PemObject`][PemObject] trait, which provides methods for
      reading a single or multiple PEM objects from a file or byte slice.
      
      [PemObject]: https://docs.rs/rustls-pki-types/latest/rustls_pki_types/pem/trait.PemObject.html
    ├ Announcement: https://github.com/rustls/pemfile/issues/61
    ├ Solution: No safe upgrade is available!
    ├ rustls-pemfile v2.1.2
      └── ...

• Related issue: Archived - please see rustls-pki-types instead rustls/pemfile#61

[fruno-bulax]

ah, I just ran into the same thing and made a PR (#5188)

Unfortunately, that now adds a license which isn't explicitly allowed (CDLA-Permissive-2.0)

[lpil]

Is that licence compatible with Apache 2? If so then we can add it to the allow list

[fruno-bulax]

It seems the license is used for the underlying certificate data from this package https://github.com/rustls/webpki-roots?tab=readme-ov-file#license

It looks like we may have to attribute the CCADB? https://www.ccadb.org/rootstores/usage#ccadb-data-usage-terms

But I am not a lawyer and can't really make heads or tails of it.

[lpil]

It looks compatible to me. Reqwest itself is apache 2 licenced, so it must be, also!

[fruno-bulax]

It's definitely compatible, webpki-roots is also licensed under MIT/Apache. I just have no clue if gleam has to give attribution and/or include the license text similar to how webpki does.