Arnavion
commented
2 years ago We can continue discussing in https://github.com/kube-rs/kube-rs/issues/650 to keep the conversation in one place.
Closed acim closed 2 years ago
Arnavion
commented
2 years ago We can continue discussing in https://github.com/kube-rs/kube-rs/issues/650 to keep the conversation in one place.
Arnavion
commented
2 years ago v0.14.0 has been released with default features disabled, as discussed in https://github.com/kube-rs/kube-rs/issues/650#issuecomment-946029033 This means that time 0.1 is already not pulled in by default. And if chrono ever removes chrono::Local or puts it behind a feature, that too will not be pulled in by default, without needing any change in k8s-openapi.
I'm not planning on replacing chrono with time completely at this time, unless there is more reason to. time resolved the vuln first by making the local time API fail unconditionally, and now by making it fail if it cannot determine that there's only one thread in the process. In my opinion this is going too far for what is reasonable for a library, especially since the trigger for this vuln is such an uncommon thing in the first place.
For posterity, this branch has the change for such a switch in case I change my mind in the future.
crono depends on vulnerable version of time and it seems not to be well maintained. Could you maybe replace it completely with some newer version of time as suggested here.