Adds advisory for unsoundness in fragile #2258
Conversation
|
@mitsuhiko thoughts about adding an advisory for this? |
crates/fragile/RUSTSEC-0000-0000.md
Outdated
|
|
||
| [versions] | ||
| patched = [] | ||
| unaffected = ["1.2.2"] |
There was a problem hiding this comment.
Is this the only version that is unaffected? Generally we have version ranges here. Also from the linked issue it's not obvious which versions are actually affected so I'm not sure how you came up with this.
There was a problem hiding this comment.
All other versions in the 1.0 series have been yanked previously for unsoundness. Checking again 1.2.2 is also affected since it uses fragile 2.0.0 and does have a slab feature of its own which I missed originally.
|
This only affects the Generally why is this not handled as an issue against fragile? |
|
@mitsuhiko the OP links an issue in fragile from August 2023, which was last updated (by you) in January 2024. If the unsoundness is going to go unaddressed, I think an advisory might be helpful to point this out to downstream users (but we would not publish it without your consent). |
|
Well I have an issue with this advisory because rather than engaging on the issue tracker, this is now forcing me as a maintainer to do something to avoid this. I did not receive either mail or a comment that anyone cares about this. Instead an advisory is proposed which talks about moving to another crate entirely, one which hasn't even been updated in three years. I find this entire process quite frustrating to be honest. |
|
@mitsuhiko no problem, I'll close this PR for now -- @konnorandrews recommend you first engage on the original issue. Feel free to resubmit an advisory PR if there is agreement that an issue exists and a fix has been released. |
|
2.0.1 has been released with a fix for the slab feature. |
|
Awesome. So do you think it makes sense to have an advisory for earlier releases, then? |
See mitsuhiko/fragile#34
For reference,
fragilehas roughly 3 million downloads a month.