rustsec
[RFC] Change our policy from 90 days to 270 days for unmaintained
But, in the event a vulnerability is reported, we'll consider a crate unmaintainted after a shorter 60 days
This is my proposal to reduce the volume of contentious unmaintained debates, and ideally also reduce burden/guilt/burnout concerns for maintainers.
Upon further reflection, 270 days seems kind of arbitrary. 90 days has a lot of precedent, e.g. responsible disclosure windows.
Perhaps we should go to 1 year (365 days)?
I definitely don't remember what I was thinking when I picked 270 -- 365 would be fine with me.
The 90 days sometimes really hurts me as I need to figure out how to handle these cases, but ... personally I like 90 days. That is three months of a maintainer being unresponsive. And that is after there is a problem with the maintenance that triggers someone to explicitly ask the maintainer if they are AWOL.
Sort of relevant, https://github.com/trailofbits/cargo-unmaintained can be used to find unmaintained dependencies before they hit this CVE threshold. There are a few issues that I have raised that mean it isn't quite ready for being used in CI.
The 90 days sometimes really hurts me as I need to figure out how to handle these cases, but ... personally I like 90 days. That is three months of a maintainer being unresponsive. And that is after there is a problem with the maintenance that triggers someone to explicitly ask the maintainer if they are AWOL.
I second this opinion. IMO, 90 days seems like a reasonable threshold.
@alex @tarcieri @amousset how do we make progress on this? I'm inclined to agree that 90 days is on the short side if no security issues have been reported, either 270 or 365 seems fine. Seems like the latter would have consensus?
I'm fine with either.
On Sat, Apr 5, 2025 at 4:30 AM Dirkjan Ochtman @.***> wrote:
@alex https://github.com/alex @tarcieri https://github.com/tarcieri @amousset https://github.com/amousset how do we make progress on this? I'm inclined to agree that 90 days is on the short side if no security issues have been reported, either 270 or 365 seems fine. Seems like the latter would have consensus?
— Reply to this email directly, view it on GitHub https://github.com/rustsec/advisory-db/pull/2032#issuecomment-2780582347, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBGHEG4D7IQ36UEXZST2X6IBPAVCNFSM6AAAAAB2QITUXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOOBQGU4DEMZUG4 . You are receiving this because you were mentioned.Message ID: @.***> [image: djc]djc left a comment (rustsec/advisory-db#2032) https://github.com/rustsec/advisory-db/pull/2032#issuecomment-2780582347
@alex https://github.com/alex @tarcieri https://github.com/tarcieri @amousset https://github.com/amousset how do we make progress on this? I'm inclined to agree that 90 days is on the short side if no security issues have been reported, either 270 or 365 seems fine. Seems like the latter would have consensus?
— Reply to this email directly, view it on GitHub https://github.com/rustsec/advisory-db/pull/2032#issuecomment-2780582347, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBGHEG4D7IQ36UEXZST2X6IBPAVCNFSM6AAAAAB2QITUXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOOBQGU4DEMZUG4 . You are receiving this because you were mentioned.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
I also don’t really care. Randos said 90 days was too short but is the industry-wide standard disclosure period for vulnerabilities. A year felt less arbitrary than 270 days. But personally I’m fine leaving it at 90 days.