Tracking unmaintained crates

[tarcieri]

I was recently complaining on how core ecosystem crates like term are unmaintained. Someone responded with an interesting idea: have RustSec track this information and expose it through cargo-audit.

Here is a broad strokes sketch of how I think this could work:

• Define a policy for what counts as an "unmaintained crate" (see below)
• In this repo, create a crates/<unmaintained_crate>/unmaintained.toml file containing information about the crate's current status.
• Surface this information as a warning in cargo-audit with an option to make it an error.

What policy makes sense for an unmaintained.toml? Well, the term crate is pretty clear-cut, the maintainer posted a "Looking For Maintainer (LFM)" GitHub issue:

Stebalien/term#93

I think a good starting point for a policy is, unlike other RustSec advisories, having package maintainers self-file these to announce to the community that the crate is unmaintained. I think this could have a secondary effect of helping maintainers in this position to find new maintainers. New maintainers can then remove the unmaintained.toml once they take ownership, and by doing so, the RustSec database gets a bonus added effect of becoming a sort of visibility point / audit log of crate ownership transfer in these cases.

[tarcieri]

Just as an added thought, I think the unmaintained.toml, especially when filed by a crate owner, could include some interesting other metadata, like:

Crate `x` is unmaintained: the maintainer suggests using crates `y` or `z`

So even in cases where it doesn't help recruit a new maintainer, it can at least provide people pointers about what they should use instead.

[RalfJung]

Crate x is unmaintained: the maintainer suggests

So it's not maintained but there is a maintainer suggesting something? That sounds funny. ;)

[BurntSushi]

@RalfJung It happens: https://github.com/BurntSushi/chan#this-crate-has-reached-its-end-of-life-and-is-now-deprecated --- Although perhaps you might still consider that maintained since I put the message there.

[tarcieri]

See also this recent thread on MP3 crates:

https://rust-audio.discourse.group/t/opportunity-mp3-crate/122/6?u=tarcieri

In it there are authors both willing to transfer ownership of their crates, and also suggesting alternative crates, so I've definitely seen it happen "in the wild".

[RalfJung]

I was mostly saying that it seems odd to call them "maintainers" if they are not maintaining it. Maybe "former maintainers" or so?

[porglezomp]

Are you already using the

[badges]
maintenance = { status = "..." }

metadata that can be present in the Cargo.toml? Would it be beneficial to pitch for extra optional keys for that in the case that status = "deprecated"?

[tarcieri]

@porglezomp no, but that's a good point.

After some discussion on this issue, I got to thinking that perhaps a good feature to add is an "informational advisory" which can warn for certain crate revisions, but doesn't fail the audit:

#131 (comment)

We could have various categories of informational advisories, and one of them could be "looking for maintainer"

This would allow us to reuse the same advisory format rather than adding a bespoke new one.

[tarcieri]

If we ship such a feature, here's a crate we should track:

https://twitter.com/passcod/status/1168188637361725442

[Shnatsel]

I believe rustcrypto crate was also unmaintained but impossible to take down for a good while.