Open sunshowers opened 4 months ago
tarcieri
commented
4 months ago It seems like the Cargo docs discourage yanking for security vulnerabilities as disruptive, but IMO there is no reason not to yank a crate for a security vulnerability if there is a SemVer-compatible upgrade. Yanking becomes disruptive when there is no SemVer-compatible upgrade.
sunshowers
commented
4 months ago Thanks Tony! Do you think you could work with Cargo upstream to clarify the situation?
tarcieri
commented
4 months ago Yeah, it'd be good to open an issue about syncing this advice with RustSec
EliahKagan
commented
3 months ago It seems to me that the advice here should also be narrowed. Something like:
-4. [Yank] the affected versions of the crate.
+4. [Yank] the affected versions of the crate, if a SemVer-compatible upgrade is available.But I worry that may not be quite right, because there are probably uncommon circumstances where yanking vulnerable versions should be done even in the absence of a SemVer-compatible upgrade. For example, in a vulnerability where a malicious dependency was accidentally used, usually it can be eliminated without a breaking change, but yanking is probably justified even if it cannot.
sunshowers
commented
3 months ago Maybe we could provide general advice and a list of special cases to consider.
While trying to resolve RUSTSEC-2024-0020, we found some conflicting information (https://github.com/ardaku/whoami/issues/97#issuecomment-1978981489):
Which one of these recommendations controls?