Please clarify maintenance status #91
Comments
|
At the moment Servo is a whole doesn’t have much activity. As far as I know it is not part of anyone’s "day job". |
|
Is there an alternative crate we can use? I'm not super-happy about using a crate which includes security vulns. edit: https://crates.io/crates/arboard I think. |
|
@vext01 Hi - just to clarify to make sure we don't send any wrong signals - informational / unmaintained does not either imply or explicitly suggest concrete exploits. However there is always a concern around supply chain factor - it is meant for signalling deprecation - this is to gently nudge any downstream dependencies to consider alternatives 💜 Typically we ask for the maintainer whether they would commit to security fixes which may or may not mean keeping e.g. dependencies to some degree up to date e.g. if any dependencies affect this crate etc. @SimonSapin thank you for responding - could we clarify whether it would be helpful to raise gentle informational nudge for the downstream re: maintenance status and would you be able to do / merge any potential security fixes that eases up any community concerns. |
The rust-clipboard project's maintenance status is [unclear][1]. It pulls in an old version of [ruxt-xcb][2]. This old version has a [security issue][3]. It also has a complex build that caused failures I could not debug when building dmenu-rs with nix. There is an [open PR][4] to rust-clipboard that updates the X11 and XCB dependencies with a minimal changeset, resolving this issue. This commit updates dmenu-rs's rust-clipboard dependency to point to the fix in the open PR, located on the upgrade-x11 branch of xliiv's fork. You can find similar discussion in an unrelated project [here][5]. [1]: aweinstock314/rust-clipboard#91 [2]: https://github.com/rust-x-bindings/rust-xcb/tree/v0.8.2 [3]: aweinstock314/rust-clipboard#90 [4]: aweinstock314/rust-clipboard#89 [5]: iceiix/stevenarella#701
The rust-clipboard project's maintenance status is [unclear][1]. It pulls in an old version of [ruxt-xcb][2]. This old version has a [security issue][3]. It also has a complex build that caused failures I could not debug when building dmenu-rs with nix. There is an [open PR][4] to rust-clipboard that updates the X11 and XCB dependencies with a minimal changeset, resolving this issue. This commit updates dmenu-rs's rust-clipboard dependency to point to the fix in the open PR, located on the upgrade-x11 branch of xliiv's fork. You can find similar discussion in an unrelated project [here][5]. [1]: aweinstock314/rust-clipboard#91 [2]: https://github.com/rust-x-bindings/rust-xcb/tree/v0.8.2 [3]: aweinstock314/rust-clipboard#90 [4]: aweinstock314/rust-clipboard#89 [5]: iceiix/stevenarella#701
The rust-clipboard project's maintenance status is [unclear][1]. It pulls in an old version of [ruxt-xcb][2]. This old version has a [security issue][3]. It also has a complex build that caused failures I could not debug when building dmenu-rs with nix. There is an [open PR][4] to rust-clipboard that updates the X11 and XCB dependencies with a minimal changeset, resolving this issue. This commit updates dmenu-rs's rust-clipboard dependency to point to the fix in the open PR, located on the upgrade-x11 branch of xliiv's fork. You can find similar discussion in an unrelated project [here][5]. [1]: aweinstock314/rust-clipboard#91 [2]: https://github.com/rust-x-bindings/rust-xcb/tree/v0.8.2 [3]: aweinstock314/rust-clipboard#90 [4]: aweinstock314/rust-clipboard#89 [5]: iceiix/stevenarella#701
|
This crate depends on x11-clipboard ^0.3, which depends on an old version of xcb, which won't build cleanly in a sandbox (writes to source tree), and needs python to build etc.. I'd love to see a dependency bump, x11-clipboard is at v0.8.1 by now. |
This avoids a dependency via x11-clipboard to an old version of xcb, v0.3. Problems and annoyances with xcb v0.3 include - safety: aweinstock314/rust-clipboard#90 - build script depends on python - won't build in a sandbox, as it writes to the source directory See also aweinstock314/rust-clipboard#91
This repository hasn't received any updates since February of 2019, nor have any issues or pull requests been replied to since then (that I could see). The last time this was asked, it was noted that it was, but just less active. However, a few months after that the dead period began. I also tried looking on Mozilla's Matrix server for
areweinstocksince the IRC server was closed, but did not find any users.If reasonable, it would be ideal to get a full answer who have some level of ownership and past activity with this crate. So, @aweinstock314, @SimonSapin, @nox: Is this crate still maintained in any way? It is still specified in servo's cargo manifest but does not appear to be an ongoing concern.
The text was updated successfully, but these errors were encountered: