Consider yanking versions affected by #252 #256
Comments
|
I'm still of the view that yanking is only security theater, in cases like this. Even if someone follows an old tutorial that tells them to put Normally, the only people who will end up using an old version are people who already have that version in (Yanking does have an effect in cases where the fixed version(s) are not semver-compatible with the vulnerable version(s), but that's not true in this case.) I guess I'm not opposed to it, since it also has little downside, but I haven't seen a convincing explanation of the benefit. (And there are some minor downsides, like making it more work to compare old versions for testing or benchmarking or security research purposes.) |
|
I agree with @mbrubeck fwiw. |
|
I understand and agree with your thoughts, @mbrubeck. However, I think yanking is the way the ecosystem has settled on to convey "This version has issues, please do not use.". In that sense, it's not only read by cargo, but also e.g. distribution packagers who can use it as a signal that an update is necessary. Also, cargo-deny warns by default if there are yanked dependencies. Quite a number of projects seem to be using it in CI, so they would actually be warned :) |
That's a good point.
cargo-deny already warns by default on affected versions of smallvec, because of the security advisory. I also expect distribution packagers to read release notes and security advisories for the packages they maintain. |
Hi 馃憢
Would you consider yanking versions affected by #252 from crates.io, as has been done for #96 and #156? I think that would be a good idea, as @Shnatsel put it:
The text was updated successfully, but these errors were encountered: