zip crate (unmaintained? Change of ownership?)

[kbknapp]

Filing an issue because I'm not sure how to handle this situation. Here are the facts:

• The zip crate went unmaintained (see This crate is unmaintained zip-rs/zip-old#446)
• zip was forked into a new crate zip-next
• The original zip owner gave consent for zip-next to replace zip
• zip-next was re-named zip and bumped the major version
• The unmaintained repository zip-rs/zip was renamed to zip-rs/zip-old
• The fork Pr0methean/zip-next was moved into the zip-rs/ org as zip-rs/zip2

Current state of this:

The repository zip-rs/zip2 holds the source for the zip@>1.0 while zip-rs/zip-old holds the source for zip@<=0.6.6.

So the zip crate itself isn't "unmaintained" in the sense that >1.0 is indeed actively maintained, but it's maintained at a new repository by a new owner.

[tarcieri]

There's some past discussion in #1949.

It was noted this is a handoff of maintainership which has echoes of a similar recent incident involving a widely used compression library and new maintainers, namely xz, and the associated supply chain attack.

From the @rustsec perspective zip itself is maintained, even though the maintainers have changed. Some increased scrutiny of new releases is probably warranted.

[kbknapp]

#1949 addresses the zip_next crate, but there is as of yet no zip advisory. I don't mind filing one, but I wasn't sure if it should just be informational = "unmaintained" for versions <1.0, or there is some kind of informational = "change of ownership", etc.

[tarcieri]

As I already mentioned, from our perspective zip itself is maintained, so there's no advisory to file.

We don't currently track "change of ownership". You could potentially request a new feature for that.

[kbknapp]

Understood - I misread your first reply; I thought you said zip was unmaintained from the rustsec optic. Too little coffee on my part!

I'll close this.

As much as I'd love to be informed about changes to ownership, I'm not sure how a change of ownership would actually work in practice for rustsec as there's a lot of complexity in just defining that, which could lead to spammy feeling advisories that just get ignored.

[8573]

I'd love to be informed about changes to ownership

You could use cargo-vet. With that, one can mark the authors whom one trusts for each crate, and then cargo-vet will raise an error if one pulls in a new version of a crate published by someone whom one didn't mark as trusted.