Create advisory for unmaintained paste crate
#2215
Conversation
AS1100K
force-pushed
the
paste-unmaintained
branch
from
96dfb05 to
83e567d
Compare
AS1100K
force-pushed
the
paste-unmaintained
branch
from
83e567d to
8278798
Compare
|
FWIW I maintain the package for this crate in Fedora Linux, and 150+ of our packages depend on it. As such, I'll likely need to keep it around basically forever anyway, and would also contribute some maintenance if needed. I assume the debian packagers will be in a similar boat. Not sure if that would be enough to revoke this "unmaintained" advisory. (I would have filed an issue on the "paste" repo, but it is already archived so issues are read-only.) |
https://rustsec.org/advisories/RUSTSEC-2024-0436.html now causes the `cargo deny advisories` check to fail (even if the separate and more important failure from `ring` is changed by bumping the `ring` version, as in GitoxideLabs#1878). `paste` is mature and would be hard to remove as a transitive dependency at this time: > cargo tree --invert paste --no-dedupe --depth 3 paste v1.0.15 (proc-macro) └── ratatui v0.26.3 ├── crosstermion v0.14.0 │ ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide) │ └── prodash v29.0.0 ├── prodash v29.0.0 │ ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide) │ ├── gix v0.70.0 (C:\Users\ek\source\repos\gitoxide\gix) │ └── gix-features v0.40.0 (C:\Users\ek\source\repos\gitoxide\gix-features) └── tui-react v0.23.2 ├── crosstermion v0.14.0 └── prodash v29.0.0 As discussed in rustsec/advisory-db#2215 and leptos-rs/leptos#3685, `paste` is widely used and there is community interest in maintaining it. When the status changes or more information about the future of `paste` or its alternatives is available, `deny.toml` could be updated again (even if only with a comment).
|
I have created a crate named pastey. This crate is the fork of paste and is a direct drop in replacement for paste crate along with some other features and bug fixes that paste was lacking. |
https://rustsec.org/advisories/RUSTSEC-2024-0436.html now causes the `cargo deny advisories` check to fail (even if the separate and more important failure from `ring` is fixed by bumping the `ring` version, as in GitoxideLabs#1878). `paste` is mature and would be hard to remove as a transitive dependency at this time: > cargo tree --invert paste --no-dedupe --depth 3 paste v1.0.15 (proc-macro) └── ratatui v0.26.3 ├── crosstermion v0.14.0 │ ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide) │ └── prodash v29.0.0 ├── prodash v29.0.0 │ ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide) │ ├── gix v0.70.0 (C:\Users\ek\source\repos\gitoxide\gix) │ └── gix-features v0.40.0 (C:\Users\ek\source\repos\gitoxide\gix-features) └── tui-react v0.23.2 ├── crosstermion v0.14.0 └── prodash v29.0.0 As discussed in rustsec/advisory-db#2215 and leptos-rs/leptos#3685, `paste` is widely used and there is community interest in maintaining it. When the status changes or more information about the future of `paste` or its alternatives is available, `deny.toml` could be updated again (even if only with a comment).
|
It would be nice to get @dtolnay's blessing on any forks we explicitly name in the advisory |
|
I don't plan to endorse a particular replacement, but it doesn't make a difference to me. For my own use cases I would use |
|
If the project is essentially "done", then I would feel competent to do enough "maintenance" for this advisory to be withdrawn. I am already responsible for the Fedora Linux package for this crate, so I need to keep it around either way. To make it explicit, I offer to do this if the "dtolnay/paste" repo is unarchived & transferred to me (or to the commons-rs org, which I have set up for situations like this a while ago). The crate is also packaged for Debian and I would reach out to its maintainers if they want to contribute as well. |
The following findings are not fixed: - `paste` is "finished: rustsec/advisory-db#2215 (comment) - `ring` will be fixed by OpenSK - `proc-macro-error` will be fixed by Yew: yewstack/yew#3752
Fixes #2203