advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard

Published 20 hours ago verified publisher icon rustsec

Add unmaintained advisory for clipboard

Open complexspaces opened this issue 3 years ago • 3 comments

This PR adds an maintenance warning about the rust-clipboard crate. It has not been updated in years and, at this point, two forks of it are the most viable alternatives. Due to its age, it also depends on several unsound crate versions too. As a disclaimer, I am the primary maintainer of the arboard crate.

I also included platform-specific alternatives in case users are only developing for a single platform. Please let me know if I should remove them.

complexspaces avatar Jun 23 '22 23:06 complexspaces

The requirements of HOWTO_UNMAINTAINED do not appear to have been met.

https://lib.rs/crates/clipboard says that the crate is owned by @servo/cargo-publish. Maybe someone on that team could be contacted?

8573 avatar Jun 24 '22 01:06 8573

The requirements of HOWTO_UNMAINTAINED do not appear to have been met.

Oh sorry, that's entirely my bad. I didn't realize that the RustSec group had developed a policy since the last time I opened a PR.

https://lib.rs/crates/clipboard says that the crate is owned by @servo/cargo-publish. Maybe someone on that team could be contacted?

I'd be happy to try reaching out. I filed https://github.com/aweinstock314/rust-clipboard/issues/91 and asked the cross-section of those who have contributed to rust-clipboard and are part of the Servo org this question.

Until the guidelines are better met, I've marked this PR as a draft.

complexspaces avatar Jun 24 '22 19:06 complexspaces

Hey all do we have alternatives what we can recommed -

Seeing that the maintainer has not responded and it's only week from the 90 day thing ?

We need to provide actionable fix(es) if any available - e.g. possible alternative crates that may or may not be viable to use

e.g.: https://crates.io/crates/arboard

pinkforest avatar Sep 17 '22 14:09 pinkforest

Hi again, @pinkforest. Are you asking to look for for more alternatives then the ones already listed in this PR's contents? I listed arboard and copypasta as platform-independent alternatives and clipboard-win and x11-clipboard as platform-specific ones.

complexspaces avatar Sep 17 '22 17:09 complexspaces

Oh yeah you already looked into that, thanks -

Could we please adjust couple of things to align with our other advisories, that would be fantastic. Thanks

pinkforest avatar Sep 17 '22 17:09 pinkforest

fyi: We are trying to move to better possible alternatives: https://github.com/rustsec/rustsec/issues/658

But for now we still use the list.

Thanks for the contribution @complexspaces :partying_face:

pinkforest avatar Sep 24 '22 11:09 pinkforest