-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maintenance status #352
Comments
Yeah. I don't really do this as a hobby much and my work is not presently overlapping with this. To bump any of those crates a major version of Surf needs to be released. Ideally this major version would use new versioned feature flags and also the conditional cargo dependency stuff that now exists. I am totally fine doing the cargo release and merging stuff like that but I am pretty preoccupied so I am unlikely to do the groundwork. If people do it, try to ping me off github because I may not see it here in a timely way at the moment. |
To be clear, I have no use case for surf so I won't be contributing code. I'm just wondering if it would make sense to put out a call for maintainers and/or put a note in the README and/or submit a RustSec advisory that the crate is unmaintained. |
FWIW, I've filed an issue against the advisory DB. |
We reserve unmaintained advisories to completely unreachable maintainers or where the maintainer tells it is unmaintained. Since @Fishrock123 has offered to merge the fixes if someone pushes a PR out, Therefore by policy we can't flag advisory on it without maintainer's explicit wish to do so. So will be waiting if this action is okay for @Fishrock123 and we can certainly do it. FWIW - If there is a crate upstream crate that has security advisory on itself then it would get alrady flagged in audit and it is not required to flag downstream crates which still depend on old version. @djc maybe the action could be to flag the old rustls crate versions as unmaintained and that will light up anything using the old versions ? Cheers |
Despite being opened before this issue, #340 has received no attention from @Fishrock123. |
Consider it unmaintained. Let me know if I can help by putting something on the repo or such. I won’t have time to go through the significant effort this crate requires any time soon. |
Hi there, I was wondering about the maintenance status of this crate? There seems to be little activity. As a rustls maintainer, I noticed this is one of the most popular rustls dependents that's still on a pretty old version, which seems tricky for a security-sensitive crate.
The text was updated successfully, but these errors were encountered: