maint status of crate?

[maintcheck]

this is high profile crate no release since 2020 and no commits for months now. not seen maintainers responding to people and lots reporting security issues with this crate. issues list is almost 200 now and almost 50 prs not getting address.

can please confirm status of this crate and if bugs/security will be fixed soon? reports for sec issue go back a year at least!

@quodlibetor

[nico-abram]

Under the github organization that owns this repo I only see one user in the public members: https://github.com/orgs/chronotope/people

There is a comment here from that maintainer from 14 days ago. I'm not sure that can be called unmaintained or "mantainer MIA"/"not seen maintainers responding to people". That PR is made/sent by that same maintainer.

[maintcheck]

the fact that there are vulnerabilities and that I can't do much without contacting the owner. I emailed him a while ago but I'm still awaiting a response.

from your linked issue. doesnt matter if they try if owner doesnt ok it then its pointless

[nico-abram]

Milo123459 seems to have merge rights. See this PR which was merged by them #568
I don't really know but the bigger problem may be crate releases

[tarcieri]

We have a request for the @rustsec project to file an unmaintained crate advisory for chrono which will be surfaced by tools like cargo audit and cargo deny: rustsec/advisory-db#1216

Speaking as one of the RustSec maintainers, I am somewhat reluctant to do this, particularly as chrono is a widely-used high-profile crate within the Rust ecosystem.

It would be great to get some input from any current chrono maintainers as to the state of the project and whether they feel such an advisory is warranted.

My personal view looking at some of the recent history of the project and some of the issues/PRs surfaced in this thread is that there are some active contributors but overall work appears to be stalled. Is that a fair assessment?

[djc]

I have been given access to GitHub and crates.io by the previous primary maintainer on Feb 27. I haven't had a ton of time to spend on the crate (particularly on the goal of publishing a version that fixes RUSTSEC-2020-0159, of course), but with the other active maintainer @Milo123459 we've managed to merge three PRs over the past three days, some of them fairly substantial. I think activity will increase from here, although, because chrono is so widely-used, I want to be careful about publishing a new release, so that may take some time.

As such, while activity on this crate has definitely been very minimal over the past 6 months or so, I don't think it makes sense to publish an unmaintained crate advisory at this point.

[djc]

(Also, given that RUSTSEC-2020-0159 remains relevant there is already some signal in the advisory DB about an ongoing lack of maintenance.)

[tarcieri]

Thanks for the update. I've gone ahead and closed the @rustsec issue.

[djc]

I'm going to close this issue for now, feel free to open new issues or comment in other ones with specific questions.