Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove security advisory about plutonium. #276

Closed
wants to merge 2 commits into from
Closed

Remove security advisory about plutonium. #276

wants to merge 2 commits into from

Conversation

hdevalence
Copy link

Closes #275 by reverting the RUSTSEC assignment.

@tarcieri
Copy link
Member

tarcieri commented Apr 24, 2020
edited
Loading

By policy we never remove vulnerabilities once assigned, however you can mark it as “obsolete = true” to perform the equivalent of yanking it

@sunjay
Copy link

sunjay commented Apr 25, 2020

@tarcieri that is a reasonable policy in general, but do you think it still applies given that this was never an actual security vulnerability? It was also just created so removing it should not be a big issue. We can leave the number unused too if that's a concern.

If you're really adamant on enforcing the rule then obsolete can be fine, but it seems like this is a special case that merits just removing it altogether. What do you think?

@tarcieri
Copy link
Member

tarcieri commented Apr 25, 2020
edited
Loading

@sunjay as a general principle we’re trying to follow how crates.io itself works: an immutable archive (in or case, of vulnerabilities). As soon as we assign an identifier, it shouldn’t simply disappear: if there was a problem with the original assignment our goal is to document what happened, which is a generally recognized DFIR practice.

@sunjay
Copy link

sunjay commented Apr 25, 2020

Okay. I get that. I think I was leaning towards special case because I don't want this to affect the integrity of the database. Obsolete is fine too and I think documenting what happened is very important. :)

@tarcieri tarcieri mentioned this pull request Apr 25, 2020
Closed
@tarcieri
Copy link
Member

Dup of #280

@tarcieri tarcieri closed this Apr 26, 2020
@tarcieri tarcieri mentioned this pull request May 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RUSTSEC-2020-0011 is not a security vulnerability.
3 participants
@hdevalence @tarcieri @sunjay