Open alex opened 1 month ago
This is my proposal to reduce the volume of contentious unmaintained debates, and ideally also reduce burden/guilt/burnout concerns for maintainers.
Upon further reflection, 270 days seems kind of arbitrary. 90 days has a lot of precedent, e.g. responsible disclosure windows.
Perhaps we should go to 1 year (365 days)?
I definitely don't remember what I was thinking when I picked 270 -- 365 would be fine with me.
The 90 days sometimes really hurts me as I need to figure out how to handle these cases, but ... personally I like 90 days. That is three months of a maintainer being unresponsive. And that is after there is a problem with the maintenance that triggers someone to explicitly ask the maintainer if they are AWOL.
Sort of relevant, https://github.com/trailofbits/cargo-unmaintained can be used to find unmaintained dependencies before they hit this CVE threshold. There are a few issues that I have raised that mean it isn't quite ready for being used in CI.
The 90 days sometimes really hurts me as I need to figure out how to handle these cases, but ... personally I like 90 days. That is three months of a maintainer being unresponsive. And that is after there is a problem with the maintenance that triggers someone to explicitly ask the maintainer if they are AWOL.
I second this opinion. IMO, 90 days seems like a reasonable threshold.
But, in the event a vulnerability is reported, we'll consider a crate unmaintainted after a shorter 60 days