Closed flavio closed 2 months ago
Hey all, just wanted to tag a few people who I believe are contributors to the following projects for visibility and to make sure people are ok with the change. Feel free to tag someone else if you are not the right person or if you know another project we didn't list, please let us know as well.
Based on what I found as well, the two options seem to be an advisory and/or yanking the old crate once the new one is published. Advisory seems a bit less heavy handed, so that will probably be the best option. We can yank after 6-12 months after publishing the new crate name.
Once we've given people a chance to respond, I think we publish 0.11.0 to the new crate location from the tag so that it is a 1:1 replacement for the current version (we could do one more version back as well if needed), and then all new releases would go to the new crate
Also, to save on commenting again, I am good with this change for the projects I work on
oci-client
seems to reflect how we're using this crate in prod, so...
LGTM to me too :+1:
LGTM!
Just a heads up that 0.11.0 is now published at https://crates.io/crates/oci-client
@flavio Based on the conversation in this issue (and its linked issues), I think we might want to hold off on an informational advisory for a few months to give people time to move over: https://github.com/rustsec/advisory-db/issues/1804
Fine with me. Should we push out a 0.11.1 release of oci-distribution with:
That could be done inside of a special branch, created starting for the 0.11.0 tag of oci-distribution
. The goal would be to avoid these changes to reach the oci-client
"code"
Yeah we can push that up
We've recently moved this code from
krustlet/oci-distribution
over there (oras-project/rust-oci-client
).Should we also rename the crate from
oci-distribution
tooci-client
?We could then make PRs against the projects that are using
oci-distribution
to have them moved to the new crate. An approximate list can be found hereReading on the internet, we could issue an informal advisory inside of RustSec. In this way,
cargo-audit
would inform all the end users of the crate about the rename