RUSTSEC-2020-0159: migration from chrono

[koivunej]

RUSTSEC-2020-0159 means there should be an investigation into migrating to time. Some parts of the current timestamp parsing in the -packet, or -stream should be extra carefully verified against the respective interledger RFC's as there might not be good existing test cases.

[koivunej]

Marking this as good-first-issue for quite limited scope and easy discoverability (follow chrono dependencies). The scope includes multiple crates, but test case examples should exist wherever there is parsing code.

[pinkforest]

@koivunej There is now new patched version of chrono 0.4.20 https://github.com/rustsec/advisory-db/pull/1306 The new version has pure rust version of localtime_r :partying_face: You might want to bump your Cargo.lock for it

[koivunej]

@pinkforest thanks for letting me know!

[pinkforest]

@koivunej thanks for the response :purple_heart:

Would you have time to roll a release to crates.io ?

Re: maintenance: https://github.com/interledger-rs/interledger-rs/issues/745

Could we also bump up the unicase dep? re: https://github.com/interledger-rs/interledger-rs/pull/744

Cheers

[koivunej]

I can handle the Cargo.lock updates because I have should still have write access, but I cannot update crates.io. Even if I could, I would probably just yank the existing releases re: #687 as this repo's output is only used as binary as far as I know rather than the many interconnected library crates.

I'll reply you over at #745 over the maintainership, possibly later.

[pinkforest]

Sweet - @emschwartz seems to have the crates.io access - could use cargo owner --add username or do cargo yank https://doc.rust-lang.org/cargo/commands/cargo-owner.html https://doc.rust-lang.org/cargo/commands/cargo-yank.html

Sadly the unicase dep is semver bump so users pick up still 2.5 with no backported fix, would have to bump that too to 2.6

[koivunej]

chrono got updated in #747, so closing this. unicase is still pending.