Guidance around yanking crates?

[tarcieri]

I think it makes sense to encourage people to yank all releases of any crate which match any vulnerable versions listed in advisories.

This could range from a heavy-handed lint on published crate versions which requires all impacted versions for a crate be yanked before the advisory can be merged, to a lighter touch "you should probably yank those crates" advice in both CONTRIBUTING.md and as a pull request comment.

What do people think about this?

[bluejekyll]

I think there are some scenarios to consider in this that might make it problematic. One example I can think of is that people may be relying on older crates if they are building with older versions of the Rust compiler, yet there hasn't been a patch applied to the older versions of the code (maintainers won't have the time/capacity to go back and patch "supported" versions).

I don't know what the right answer is here, my knee-jerk response is to agree with this proposal, but I think it could have untoward effects in the wider ecosystem.

[8573]

My one concern with a requirement that vulnerable versions be yanked is that it would seem to mean that filling vulnerability advisories would begin to require the cooperation of crate owners.

[tarcieri]

@8573 that is a good concern! It's also one we could work around with some sort of exemption list.

I'm kind of torn on that particular issue: it would be nice to allow automated filing of vulnerabilities, but at the same time some curation of the database helps keep it consistent and also catch missing details in advisories.