Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Guidance around yanking crates? #74
I think it makes sense to encourage people to yank all releases of any crate which match any vulnerable versions listed in advisories.
This could range from a heavy-handed lint on published crate versions which requires all impacted versions for a crate be yanked before the advisory can be merged, to a lighter touch "you should probably yank those crates" advice in both CONTRIBUTING.md and as a pull request comment.
What do people think about this?
I think there are some scenarios to consider in this that might make it problematic. One example I can think of is that people may be relying on older crates if they are building with older versions of the Rust compiler, yet there hasn't been a patch applied to the older versions of the code (maintainers won't have the time/capacity to go back and patch "supported" versions).
I don't know what the right answer is here, my knee-jerk response is to agree with this proposal, but I think it could have untoward effects in the wider ecosystem.
@8573 that is a good concern! It's also one we could work around with some sort of exemption list.
I'm kind of torn on that particular issue: it would be nice to allow automated filing of vulnerabilities, but at the same time some curation of the database helps keep it consistent and also catch missing details in advisories.