-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: RUSTSEC-2020-0071 #3150
fix: RUSTSEC-2020-0071 #3150
Conversation
@@ -3387,17 +3484,6 @@ version = "0.2.0" | |||
source = "registry+https://github.com/rust-lang/crates.io-index" | |||
checksum = "3bf63baf9f5039dadc247375c29eb13706706cfde997d0330d05aa63a77d8820" | |||
|
|||
[[package]] | |||
name = "time" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
time v0.1 removed
Not a fan of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason behind the additional crate updates?
provider/datagen/Cargo.toml
Outdated
syn = {version = "1.0", features = ["parsing"] } | ||
tinystr = { version = "0.7.1", path = "../../utils/tinystr", features = ["alloc", "serde", "zerovec"], default-features = false } | ||
toml = "0.5" | ||
writeable = { version = "0.5.1", path = "../../utils/writeable" } | ||
zerovec = { version = "0.9.2", path = "../../utils/zerovec", features = ["serde", "yoke"] } | ||
zip = { version = "0.5", default-features = false, features = ["deflate"] } | ||
zip = { version = "0.6", default-features = false, features = ["deflate"] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather not update zip to 0.6 just yet since we're trying to keep dependencies in sync with other places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
zip 0.5 depends on time 0.1, which is the root cause of this rustsec issue
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are not using zip with that feature enabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you would like to, you can add a comment to the dependency allowlist for zip as used by datagen and mention that the list should never contain time
unless zip
is 0.6.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another thing that would be fine is using a range dep: ">=0.5.0, <0.7.0"
; basically I do not want to lose the ability to use zip
0.5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
zip v0.6
is also one of the dependencies of cached-path v0.6.1
, a range dep >=0.5.0, <0.7.0
does not change the version resolution tho
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cached_path can also get a range, then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be possible to use ICU4X with zip 0.5, basically.
Again, all of this is moot for the time vuln: we're not using zip with that feature enabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, i guess cached-path
does, which is a bit of a bummer
Also this fails MSRV
|
d3203e2
to
f87a6c1
Compare
Notice: the branch changed across the force-push!
~ Your Friendly Jira-GitHub PR Checker Bot |
@Manishearth Correct me if I'm wrong but I think to achieve the MSRV rule, versions of IMHO, to properly test MSRV for a lib crate, it needs to build a crate that depends on this lib without |
No, it is sufficient to pin it in the lockfile here. A crate that depends on this will not build with rust 1.61 out-of-the-box, but they can fix this themselves as needed in their own lockfile, it's a pretty normal workflow. While some high-profile crates do guarantee MSRV for themselves and their dependencies, by and large the community does not do this as it usually involves a lot of coordination, and library authors often do not appreciate being asked to sign up for an MSRV because their dependents wish to do so. There are issues open to make Cargo dependency resolution take msrv into account, and most library authors seem to be holding out for that. We achieve an approximation of the out-of-the-box property by having a relatively small number of external dependencies on the main ICU4X crates. If a lockfile pin was needed for a dependency of a main ICU4X crate (not datagen) it would give me some pause, but that's not the case here. We do plan on adding lockfile tests (minimal/maximal versions) and probably will add an MSRV test scoped for the core ICU4X crate. Datagen is a bit special since we don't actually care as much about MSRV there especially in the binary mode. We test it because it's easier to test everything than to test a subset and then accidentally missing stuff, and we do care about MSRV a little bit for library mode (but not enough to want to maintain the out-of-the-box property, datagen is mostly a build time dep for people if they use it via Cargo at all, which is somewhat rare). |
The MSRV CI matters because it means that users have the option to build with MSRV. They are not our only users, there will be users who do not care about MSRV but do have newer versions of a crate in their deptree, and we disadvantage them by forcing multiple versions of a crate (which Cargo can often handle, but sometimes it breaks other things). It's a tradeoff without a single clear answer. |
Regarding |
(As to why I don't mind that cached-path depends on zip: cached-path is a feature that can be disabled and is not relevant in the context where I need zip 0.5) |
@Manishearth fixed as u suggested |
@@ -77,7 +77,7 @@ tinystr = { version = "0.7.1", path = "../../utils/tinystr", features = ["alloc" | |||
toml = "0.5" | |||
writeable = { version = "0.5.1", path = "../../utils/writeable" } | |||
zerovec = { version = "0.9.2", path = "../../utils/zerovec", features = ["serde", "yoke"] } | |||
zip = { version = "0.6", default-features = false, features = ["deflate"] } | |||
zip = { version = ">=0.5, <0.7", default-features = false, features = ["deflate"] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should also cargo update -p zip
to get the new version so that the time 0.1
dep disappears from the lockfile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and cached-path as well
I'm fine maintaining the property that time 0.1
isn't in our lockfile, even if clients will have the opportunity to use older crates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure but again the lock file does not effect the crate user, I thought it would be easier for u to keep it 0.5 while I can upgrade to 0.6 if that's preferable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I understand how lockfiles work.
"A crate with a vulnerability is not in the lockfile" is easy for tooling to check and maintain, even though it doesn't mean we've completely excised the dep from all theoretical dependency chains.
And like I said clients needing to stick to zip 0.5 can, because we are giving them the flexibility.
Ultimately dependency management is something that the application developer at the end of the dependency tree must do: as library authors we can make the job easy for them by reducing deps and keeping things flexible, but different people have different needs and we cannot guess those as library authors. Some people care about MSRV. Others have vendored crates and want to stick to those versions as much as possible. Different people have different security stances around vulnerabilities.
You're seeing the confluence of a bunch of different requirements here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Manishearth time v0.1 is now removed from Cargo.lock
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because a lot of larger projects (for example Firefox, but there's also stuff in Google) vendor their dependencies, and also care about auditing dependencies. If they already have zip 0.5 they may prefer to stick to that. This is what I meant by "we're trying to keep dependencies in sync with other places": new dependencies are additional overhead for some people, and allowing users the flexibility to avoid that is good.
Not everyone is okay with a bloated dependency tree with multiple versions of the same crate. Different people have different needs and tradeoffs. Not every user of ICU4X is even using Cargo to drive the build.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's the best to use mono repo and workspace dependencies to avoid duplicate crates in dependency tree. For isolated crate repos it adds unnecessary and unmanageable maintenance burden. Anyways thanks for the review!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
........ yes, precisely, that's my point. We have clients that use monorepos. They would like to avoid duplicate crates, and they would like to avoid having to patch ICU4X's dep spec (or have to figure out when our dependencies are malleable). Expressing that flexibility with range deps helps.
We cannot use a dependency-vendored monorepo because ultimately we are a library and have multiple clients. We aren't trying to avoid duplicate crates, but we are trying to ensure that we do not force duplicate crates onto clients as much as possible.
This is a perfectly manageable maintenance burden for us. Aside from datagen, ICU4X has a low number of dependencies, and even datagen has a manageable number of dependencies if built in certain modes, and we have tests ensuring that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Arguably, as a lib crate I think the CI needs to cover all combinations of zip, cached-path versions. And if more crate more versions are added the num of combinations soon become 'unmanageable'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I said already, we do have plans for minimal/maximal version testing, and hope to do an MSRV test with minimal/maximal versions for a subset of the project (so, not datagen, would not affect zip/cached-path). Currently we achieve some of these properties to an acceptable level by having very few dependencies on the main part of the project.
There are diminishing returns after you have minimal/maximal testing.
And ultimately it is normal in the Rust community for applications to run a bunch of cargo update --precise
s if they have specific additional constraints for their dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
…2685) After this, we are still waiting for `indexmap` & `dashmap` to provide the new `hashbrown` to reduce duplicate dependencies, and for `criterion` to remove `clap` and release a new version. We're also waiting for a new version of `icu_datagen` that bumps the `zip` dependency to avoid a potential vulnerability. Ideally, they would also bump the `simple_logger` dependency, which is pretty outdated. In any case, `simple_logger` still uses an unmaintained `atty` dependency. Relevant issues: - xacrimon/dashmap#250 - unicode-org/icu4x#3150 - bheisler/criterion.rs#599 - borntyping/rust-simple_logger#74
This PR tries to fix https://rustsec.org/advisories/RUSTSEC-2020-0071 by removing
time 0.1
from dependency tree