Skip to content

Consider yanking versions affected by #252 #256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
puzzlewolf opened this issue Feb 1, 2021 · 4 comments
Closed

Consider yanking versions affected by #252 #256

puzzlewolf opened this issue Feb 1, 2021 · 4 comments

Comments

@puzzlewolf
Copy link

puzzlewolf commented Feb 1, 2021
edited
Loading

Hi 👋

Would you consider yanking versions affected by #252 from crates.io, as has been done for #96 and #156? I think that would be a good idea, as @Shnatsel put it:

Existing dependencies on them will continue to work, but people won't be able to make new crates depending on vulnerable versions by following e.g. a tutorial that was not updated following this advisory.

Originally posted by @Shnatsel in #96 (comment)
@mbrubeck
Copy link
Collaborator

mbrubeck commented Feb 1, 2021
edited
Loading

I'm still of the view that yanking is only security theater, in cases like this. Even if someone follows an old tutorial that tells them to put smallvec = "0.6.0" in their Cargo.toml, Cargo will automatically choose the latest compatible version (0.6.14), which includes the fix.

Normally, the only people who will end up using an old version are people who already have that version in Cargo.lock, and these are the only people who are not affected by yanking.

(Yanking does have an effect in cases where the fixed version(s) are not semver-compatible with the vulnerable version(s), but that's not true in this case.)

I guess I'm not opposed to it, since it also has little downside, but I haven't seen a convincing explanation of the benefit. (And there are some minor downsides, like making it more work to compare old versions for testing or benchmarking or security research purposes.)

@emilio
Copy link
Member

emilio commented Feb 2, 2021

I agree with @mbrubeck fwiw.

@puzzlewolf
Copy link
Author

I understand and agree with your thoughts, @mbrubeck. However, I think yanking is the way the ecosystem has settled on to convey "This version has issues, please do not use.". In that sense, it's not only read by cargo, but also e.g. distribution packagers who can use it as a signal that an update is necessary.

Also, cargo-deny warns by default if there are yanked dependencies. Quite a number of projects seem to be using it in CI, so they would actually be warned :)

@mbrubeck
Copy link
Collaborator

mbrubeck commented Feb 2, 2021
edited
Loading

I understand and agree with your thoughts, @mbrubeck. However, I think yanking is the way the ecosystem has settled on to convey "This version has issues, please do not use."

That's a good point.

Also, cargo-deny warns by default if there are yanked dependencies.

cargo-deny already warns by default on affected versions of smallvec, because of the security advisory. I also expect distribution packagers to read release notes and security advisories for the packages they maintain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mbrubeck @emilio @puzzlewolf