Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maintenance status #352

Open
djc opened this issue Nov 1, 2022 · 6 comments
Open

Maintenance status #352

djc opened this issue Nov 1, 2022 · 6 comments

Comments

@djc
Copy link

djc commented Nov 1, 2022

Hi there, I was wondering about the maintenance status of this crate? There seems to be little activity. As a rustls maintainer, I noticed this is one of the most popular rustls dependents that's still on a pretty old version, which seems tricky for a security-sensitive crate.
@Fishrock123
Copy link
Member

Yeah. I don't really do this as a hobby much and my work is not presently overlapping with this.

To bump any of those crates a major version of Surf needs to be released. Ideally this major version would use new versioned feature flags and also the conditional cargo dependency stuff that now exists.

I am totally fine doing the cargo release and merging stuff like that but I am pretty preoccupied so I am unlikely to do the groundwork. If people do it, try to ping me off github because I may not see it here in a timely way at the moment.

@djc
Copy link
Author

djc commented Nov 2, 2022

To be clear, I have no use case for surf so I won't be contributing code. I'm just wondering if it would make sense to put out a call for maintainers and/or put a note in the README and/or submit a RustSec advisory that the crate is unmaintained.

@djc djc mentioned this issue Nov 8, 2022
Closed
@djc djc mentioned this issue Nov 25, 2022
Closed
@djc
Copy link
Author

djc commented Nov 25, 2022

FWIW, I've filed an issue against the advisory DB.

@pinkforest
Copy link

pinkforest commented Nov 25, 2022
edited
Loading

We reserve unmaintained advisories to completely unreachable maintainers or where the maintainer tells it is unmaintained.

Since @Fishrock123 has offered to merge the fixes if someone pushes a PR out,

Therefore by policy we can't flag advisory on it without maintainer's explicit wish to do so.

So will be waiting if this action is okay for @Fishrock123 and we can certainly do it.

FWIW - If there is a crate upstream crate that has security advisory on itself then it would get alrady flagged in audit and it is not required to flag downstream crates which still depend on old version.

@djc maybe the action could be to flag the old rustls crate versions as unmaintained and that will light up anything using the old versions ?

Cheers

@expenses expenses mentioned this issue May 22, 2023
Open
@jxs jxs mentioned this issue Sep 6, 2023
Merged
4 tasks
@thomaseizinger
Copy link

Since @Fishrock123 has offered to merge the fixes if someone pushes a PR out,

Despite being opened before this issue, #340 has received no attention from @Fishrock123.

@Fishrock123
Copy link
Member

Consider it unmaintained.

Let me know if I can help by putting something on the repo or such. I won’t have time to go through the significant effort this crate requires any time soon.

@matheus-consoli matheus-consoli mentioned this issue Oct 6, 2023
Closed
@djc djc mentioned this issue Feb 16, 2024
Merged
4 tasks
@sugyan sugyan mentioned this issue Feb 27, 2024
Closed
@msrd0 msrd0 mentioned this issue Mar 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@djc @Fishrock123 @thomaseizinger @pinkforest