Conflicting info about yanking crates

[sunshowers]

While trying to resolve RUSTSEC-2024-0020, we found some conflicting information (ardaku/whoami#97 (comment)):

• https://github.com/rustsec/advisory-db/blob/main/CONTRIBUTING.md#optional-steps recommends yanking affected crate versions.
• However, https://doc.rust-lang.org/cargo/commands/cargo-yank.html#when-to-yank says to not yank for security issues, and instead to use RustSec.

Which one of these recommendations controls?

[tarcieri]

It seems like the Cargo docs discourage yanking for security vulnerabilities as disruptive, but IMO there is no reason not to yank a crate for a security vulnerability if there is a SemVer-compatible upgrade. Yanking becomes disruptive when there is no SemVer-compatible upgrade.

[sunshowers]

Thanks Tony! Do you think you could work with Cargo upstream to clarify the situation?

[tarcieri]

Yeah, it'd be good to open an issue about syncing this advice with RustSec

[EliahKagan]

It seems to me that the advice here should also be narrowed. Something like:

-4. [Yank] the affected versions of the crate.
+4. [Yank] the affected versions of the crate, if a SemVer-compatible upgrade is available.

But I worry that may not be quite right, because there are probably uncommon circumstances where yanking vulnerable versions should be done even in the absence of a SemVer-compatible upgrade. For example, in a vulnerability where a malicious dependency was accidentally used, usually it can be eliminated without a breaking change, but yanking is probably justified even if it cannot.

[sunshowers]

Maybe we could provide general advice and a list of special cases to consider.