search

http-rs / surf

Fast and friendly HTTP client framework for async Rust
https://docs.rs/surf
Apache License 2.0
1.46k stars 119 forks source link

Maintenance status #352

Open djc opened 1 year ago

djc commented 1 year ago

Hi there, I was wondering about the maintenance status of this crate? There seems to be little activity. As a rustls maintainer, I noticed this is one of the most popular rustls dependents that's still on a pretty old version, which seems tricky for a security-sensitive crate.

Fishrock123 commented 1 year ago

Yeah. I don't really do this as a hobby much and my work is not presently overlapping with this.

To bump any of those crates a major version of Surf needs to be released. Ideally this major version would use new versioned feature flags and also the conditional cargo dependency stuff that now exists.

I am totally fine doing the cargo release and merging stuff like that but I am pretty preoccupied so I am unlikely to do the groundwork. If people do it, try to ping me off github because I may not see it here in a timely way at the moment.

djc commented 1 year ago

To be clear, I have no use case for surf so I won't be contributing code. I'm just wondering if it would make sense to put out a call for maintainers and/or put a note in the README and/or submit a RustSec advisory that the crate is unmaintained.

djc commented 1 year ago

FWIW, I've filed an issue against the advisory DB.

pinkforest commented 1 year ago

We reserve unmaintained advisories to completely unreachable maintainers or where the maintainer tells it is unmaintained.

Since @Fishrock123 has offered to merge the fixes if someone pushes a PR out,

Therefore by policy we can't flag advisory on it without maintainer's explicit wish to do so.

So will be waiting if this action is okay for @Fishrock123 and we can certainly do it.

FWIW - If there is a crate upstream crate that has security advisory on itself then it would get alrady flagged in audit and it is not required to flag downstream crates which still depend on old version.

@djc maybe the action could be to flag the old rustls crate versions as unmaintained and that will light up anything using the old versions ?

Cheers

thomaseizinger commented 1 year ago

Since @Fishrock123 has offered to merge the fixes if someone pushes a PR out,

Despite being opened before this issue, https://github.com/http-rs/surf/pull/340 has received no attention from @Fishrock123.

Fishrock123 commented 1 year ago

Consider it unmaintained.

Let me know if I can help by putting something on the repo or such. I won’t have time to go through the significant effort this crate requires any time soon.