`winapi` is (now actually) unmaintained

[Jasper-Bekkers]

Additional context: https://github.com/rustsec/advisory-db/pull/1098

I opened an issue about this in 2021 and back then this was deemed controversial which I expected and agreed with, however, I think it's time to reevaluate this standpoint. We're in 2024 now and the last PR to winapi has landed around the same time I had filed the original issue (November 2021 - which was the first commit in a year). The last release to the winapi crate was 4 years ago.

https://github.com/retep998/winapi-rs/commits/0.3/

I think it's fair to say that winapi is now actually unmaintained and abandoned and we should re-evaluate merging that advisory.

[tarcieri]

I'd agree it looks unmaintained, however per our HOWTO_UNMAINTAINED.md policy to qualify as unmaintained the author must not have responded to an inquiry about the maintenance status for 90 days.

This inquiry seems suitable: https://github.com/retep998/winapi-rs/issues/1055

It's been 38 days since that issue was opened. So to meet our policy, per that issue it must go without a response until September 16th.

If you can find an earlier issue about the maintenance status, that would work too.

[Skgland]

What about https://github.com/retep998/winapi-rs/issues/1052 from April 5th?

[Skgland]

Maybe even https://github.com/retep998/winapi-rs/issues/1020 from 2022

[tarcieri]

It really needs to be an explicit inquiry into the project's maintenance status

[Skgland]

I can understand that 1020 asking for an FAQ entry for what crate to choose not being considered an inquiry for maintenance status, but 1052 asking whether the project is dead sounds like an inquiry regarding maintenance status to me.

[tarcieri]

Oh sorry, yes I agree that looks suitable as well, and it's been 112 days since then

[ChrisDenton]

So a project that gets security only fixes needs to keep responding to new "is this maintained" issues every 90 days?

[tarcieri]

@ChrisDenton if you find an actual case of a project which is actually being maintained being overly bombarded with maintenance inquiries, let me know

[ChrisDenton]

Sure.

In this case though it seems like nothing has changed from the last time this was discussed. The maintainer is available if there is a security issue but is otherwise no longer interested in doing more than that.

[tarcieri]

I think you're manufacturing controversy where it doesn't exist. We're simply trying to do our due diligence here in following an established policy.

If you have a specific change to propose to that policy, please make it in a separate issue / PR.

[ChrisDenton]

Huh? I'm confused now. I don't think there's controversy?

[tarcieri]

Then I have no idea what you are attempting to contribute here.

[ChrisDenton]

That the maintenance status of winapi is unchanged.

[tarcieri]

So, you agree winapi qualifies as unmaintained?

[ChrisDenton]

The maintainer is available if there is a security issue but is otherwise no longer interested in doing more than that.

Same as last time we went into this.

[tarcieri]

I'm not sure what you're trying to say. As far as I can tell, the author is completely incommunicado, the crate has received no updates for years, and windows-rs seems like the obvious successor.

Again, I think you're manufacturing controversy where it doesn't exist.

[alex]

@ChrisDenton appears to be referencing https://github.com/rustsec/advisory-db/pull/1098#issuecomment-1497927620, though I don't see what the basis for their comment (or conclusion that the status quo is unchanged from then) is.

I think their point is: If the maintainer already confirmed somewhat recently (a year ago) that they're around to fix security vulnerabilities, doesn't a policy of "90 days" effectively encourage people to keep nagging them.

My view is that a) it appears to me that winapi is probably unmaintained, b) I think that unmaintained advisories need some deeper reconsideration, I think they generate a significant portion of the controversy, have generated blowback for OSS maintainers, and it's unclear that filing them is significantly improving security.

[tarcieri]

I think their point is: If the maintainer already confirmed somewhat recently (a year ago) that they're around to fix security vulnerabilities

@alex where was that? I'm still missing it

[alex]

https://github.com/rustsec/advisory-db/pull/1098#issuecomment-1497927620 is the most recent comment I can finding asserting the maintainer's status, from April 2023. As I said, I don't know @ChrisDenton's basis for that comment, but I'm assuming they had a private conversation with the maintainer.

[ChrisDenton]

I've contacted the author within the last year and can do so again if it would help. Or you could ping them here.

As far as I'm aware there are no security issues that have needed dealing with in the last few years.

and windows-rs seems like the obvious successor

Right, pushing people to use the newer crate is good and all but I'm unclear how that's advisory-db's job unless there is a potential security concern.

[tarcieri]

Okay, sorry, it was unclear to me that @ChrisDenton was speaking on behalf of the maintainer. It would've been helpful to state that outright.

Still, our current policy is a 90 day window. If you want to propose a change to that, this issue isn't the place to do it.

[alex]

I've filed https://github.com/rustsec/advisory-db/pull/2032 to propose a change to the policy

[retep998]

Why are people expecting me to respond to issues on my own repo?

[retep998]

As far as I can tell, the author is completely incommunicado.

I've always been around, and I respond to pings on Discord very quickly. I just have very little interest in working on winapi itself so I haven't been paying attention to any notifications for that repo.

[tarcieri]

@retep998 okay, thanks. Based on that I think we can close this.