Create advisory for unmainted in serde_yaml
#2023
Conversation
|
Is it possible to get this one merged in? |
|
Available alternatives: |
|
FWIW I've had personal email correspondence with dtolnay when the project was initially marked as "deprecated" and archived on GitHub, and he confirmed that he will do no further work on serde_yaml and unsafe-libyaml. |
| # Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN" | ||
| # identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs. | ||
| id = "RUSTSEC-0000-0000" | ||
|
|
||
| # Name of the affected crate (mandatory) | ||
| package = "serde_yaml" | ||
|
|
||
| # Disclosure date of the advisory as an RFC 3339 date (mandatory) | ||
| date = "2024-07-21" | ||
|
|
||
| # URL to a long-form description of this issue, e.g. a GitHub issue/PR, | ||
| # a change log entry, or a blogpost announcing the release (optional, except | ||
| # for advisories using a license that requires attribution). | ||
| url = "https://github.com/dtolnay/serde-yaml/blob/master/README.md" | ||
|
|
||
| # Optional: Indicates the type of informational security advisory | ||
| # - "unsound" for soundness issues | ||
| # - "unmaintained" for crates that are no longer maintained | ||
| # - "notice" for other informational notices | ||
| informational = "unmaintained" | ||
|
|
||
| # Freeform keywords which describe this vulnerability, similar to Cargo (optional) | ||
| keywords = ["yaml", "serde", "serialization"] | ||
|
|
||
| # Versions which include fixes for this vulnerability (mandatory) | ||
| # All selectors supported by Cargo are supported here: | ||
| # https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html | ||
| # use patched = [] e.g. in case of unmaintained where there is no fix |
|
dtolnay reports that https://old.reddit.com/r/rust/comments/1ibdxf9/beware_of_this_guy_making_slop_crates_with_ai/ |
|
Also since this PR seems to be stalled, perhaps someone else could open another? |
|
I am personally opposed to this kind of advisory, all that it will do is push people toward crates that are shady like |
|
@Sytten as stated earlier, this advisory explicitly shouldn't list |
|
On Sytten's point, I think the value add of unmaintained advisories is worth discussion especially as they seem to surface by default these days or so because everyone tends to deny audit warnings and that enables unmaintained informational ones too. @tarcieri do you want a separate issue for that discussion or are you ok with me (and maybe others) writing thoughts here? |
|
This is definitely not the place to debate the value of unmaintained advisories. I am personally exhausted and very burned out from past debates on this topic, which have included things like Reddit brigading. Rekindling ad hoc debates about the value of unmaintained advisories yet again risks me burning out on the project. It would be much more helpful to make constructive suggestions about how they can be improved, or if you feel the rationale for their existence is not properly described, helpfully describe what you would like to see. |
|
|
||
| # serde_yaml - no longer maintained | ||
|
|
||
| The creator of serde_yaml has stated in the readme of their repo that the lib is no longer maintained, and also marked versoin 0.9.34 as deprecated. |
There was a problem hiding this comment.
| The creator of serde_yaml has stated in the readme of their repo that the lib is no longer maintained, and also marked versoin 0.9.34 as deprecated. | |
| The creator of serde_yaml has stated in the readme of their repo that the lib is no longer maintained, and also marked version 0.9.34 as deprecated. |
Can't raise an issue on
serde_yamlas the repo is archived.