advisory-db Conflicting info about yanking crates

While trying to resolve RUSTSEC-2024-0020, we found some conflicting information (https://github.com/ardaku/whoami/issues/97#issuecomment-1978981489):

https://github.com/rustsec/advisory-db/blob/main/CONTRIBUTING.md#optional-steps recommends yanking affected crate versions.
However, https://doc.rust-lang.org/cargo/commands/cargo-yank.html#when-to-yank says to not yank for security issues, and instead to use RustSec.

Which one of these recommendations controls?

Mar 05 '24 20:03 sunshowers

It seems like the Cargo docs discourage yanking for security vulnerabilities as disruptive, but IMO there is no reason not to yank a crate for a security vulnerability if there is a SemVer-compatible upgrade. Yanking becomes disruptive when there is no SemVer-compatible upgrade.

Mar 05 '24 20:03 tarcieri

Thanks Tony! Do you think you could work with Cargo upstream to clarify the situation?

Mar 05 '24 20:03 sunshowers

Yeah, it'd be good to open an issue about syncing this advice with RustSec

Mar 05 '24 20:03 tarcieri

It seems to me that the advice here should also be narrowed. Something like:

-4. [Yank] the affected versions of the crate.
+4. [Yank] the affected versions of the crate, if a SemVer-compatible upgrade is available.

But I worry that may not be quite right, because there are probably uncommon circumstances where yanking vulnerable versions should be done even in the absence of a SemVer-compatible upgrade. For example, in a vulnerability where a malicious dependency was accidentally used, usually it can be eliminated without a breaking change, but yanking is probably justified even if it cannot.

Apr 17 '24 19:04 EliahKagan

Maybe we could provide general advice and a list of special cases to consider.

Apr 17 '24 19:04 sunshowers