Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tracking unmaintained crates #134

Closed
tarcieri opened this issue Aug 29, 2019 · 9 comments

Comments

@tarcieri
Copy link
Member

commented Aug 29, 2019

I was recently complaining on how core ecosystem crates like term are unmaintained. Someone responded with an interesting idea: have RustSec track this information and expose it through cargo-audit.

Here is a broad strokes sketch of how I think this could work:

  • Define a policy for what counts as an "unmaintained crate" (see below)
  • In this repo, create a crates/<unmaintained_crate>/unmaintained.toml file containing information about the crate's current status.
  • Surface this information as a warning in cargo-audit with an option to make it an error.

What policy makes sense for an unmaintained.toml? Well, the term crate is pretty clear-cut, the maintainer posted a "Looking For Maintainer (LFM)" GitHub issue:

Stebalien/term#93

I think a good starting point for a policy is, unlike other RustSec advisories, having package maintainers self-file these to announce to the community that the crate is unmaintained. I think this could have a secondary effect of helping maintainers in this position to find new maintainers. New maintainers can then remove the unmaintained.toml once they take ownership, and by doing so, the RustSec database gets a bonus added effect of becoming a sort of visibility point / audit log of crate ownership transfer in these cases.

@tarcieri

This comment has been minimized.

Copy link
Member Author

commented Aug 29, 2019

Just as an added thought, I think the unmaintained.toml, especially when filed by a crate owner, could include some interesting other metadata, like:

Crate `x` is unmaintained: the maintainer suggests using crates `y` or `z`

So even in cases where it doesn't help recruit a new maintainer, it can at least provide people pointers about what they should use instead.

@RalfJung

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

Crate x is unmaintained: the maintainer suggests

So it's not maintained but there is a maintainer suggesting something? That sounds funny. ;)

@BurntSushi

This comment has been minimized.

Copy link

commented Aug 29, 2019

@RalfJung It happens: https://github.com/BurntSushi/chan#this-crate-has-reached-its-end-of-life-and-is-now-deprecated --- Although perhaps you might still consider that maintained since I put the message there.

@tarcieri

This comment has been minimized.

Copy link
Member Author

commented Aug 29, 2019

See also this recent thread on MP3 crates:

https://rust-audio.discourse.group/t/opportunity-mp3-crate/122/6?u=tarcieri

In it there are authors both willing to transfer ownership of their crates, and also suggesting alternative crates, so I've definitely seen it happen "in the wild".

@RalfJung

This comment has been minimized.

Copy link
Contributor

commented Aug 29, 2019

I was mostly saying that it seems odd to call them "maintainers" if they are not maintaining it. Maybe "former maintainers" or so?

@porglezomp

This comment has been minimized.

Copy link

commented Aug 29, 2019

Are you already using the

[badges]
maintenance = { status = "..." }

metadata that can be present in the Cargo.toml? Would it be beneficial to pitch for extra optional keys for that in the case that status = "deprecated"?

@tarcieri

This comment has been minimized.

Copy link
Member Author

commented Aug 29, 2019

@porglezomp no, but that's a good point.

After some discussion on this issue, I got to thinking that perhaps a good feature to add is an "informational advisory" which can warn for certain crate revisions, but doesn't fail the audit:

#131 (comment)

We could have various categories of informational advisories, and one of them could be "looking for maintainer"

This would allow us to reuse the same advisory format rather than adding a bespoke new one.

@tarcieri

This comment has been minimized.

Copy link
Member Author

commented Sep 1, 2019

If we ship such a feature, here's a crate we should track:

https://twitter.com/passcod/status/1168188637361725442

@Shnatsel

This comment has been minimized.

Copy link
Contributor

commented Sep 1, 2019

I believe rustcrypto crate was also unmaintained but impossible to take down for a good while.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.