Sergey "Shnatsel" Davidoff

Last time we have settled on https://github.com/rustsec/advisory-db/issues/1092#issuecomment-954024803 So it requires advance notice and a grace period for the maintainers to be able to take action before the advisory goes live.

This is being actively discussed on the PR adding the actual advisory: https://github.com/rustsec/advisory-db/pull/1738 Reopening since there is actually work being done on an instance of this, which may set a...

I wonder if a _database_ is even a good solution for this. We have a security advisory database because it's currently infeasible to reliably detect security issues in an automated...

There are many possible controversial things a crate could be doing. I fear a catch-all category for them would be too noisy, and having categories that have 1-2 advisories each...

Thanks for putting this together! I'd consider "unsound" a stronger warning than "unmaintained", so I'd prefer to go with that. "Unmaintained" was originally created for a crate with no known...

I think an advisory without a patched version is a strong enough signal that the crate isn't maintained well. @tarcieri thoughts?

Ideally we should understand the practical implications of this before filing an advisory.

https://github.com/jakubadamw/arbitrary-model-tests is an evolved version of https://github.com/blt/bughunt-rust - it autogenerates all the verification code in a proc macro, all you have to do is supply it with a reference implementation...

This sounds like a "don't compare, just fuzz" mode to me. Several people including myself attempted implementing that independently, see https://github.com/Eh2406/auto-fuzz-test But that's just a PoC, so it didn't use...

You know, a mode without comparison to a reference model, but also without considering panics as failures would indeed be very useful. For example, it would have found [CVE-2018-1000810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000810) if...