advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

Create advisory for unmainted in `serde_yaml`

Open BobG1983 opened this issue 1 year ago • 11 comments

Can't raise an issue on serde_yaml as the repo is archived.

BobG1983 avatar Jul 21 '24 20:07 BobG1983

Is it possible to get this one merged in?

deg4uss3r avatar Aug 22 '24 13:08 deg4uss3r

Available alternatives:

sanpii avatar Oct 19 '24 12:10 sanpii

FWIW I've had personal email correspondence with dtolnay when the project was initially marked as "deprecated" and archived on GitHub, and he confirmed that he will do no further work on serde_yaml and unsafe-libyaml.

decathorpe avatar Jan 12 '25 19:01 decathorpe

dtolnay reports that serde_yml has soundness issues and AI-hallucinated slop:

https://old.reddit.com/r/rust/comments/1ibdxf9/beware_of_this_guy_making_slop_crates_with_ai/

kornelski avatar Jan 28 '25 17:01 kornelski

It would also be good to add alternatives. There's a list in #2132, though as noted earlier we probably shouldn't add serde_yml (#2212)

tarcieri avatar Jan 28 '25 19:01 tarcieri

Also since this PR seems to be stalled, perhaps someone else could open another?

tarcieri avatar Jan 28 '25 19:01 tarcieri

I am personally opposed to this kind of advisory, all that it will do is push people toward crates that are shady like serde_yml to make github advisory happy. This doesnt improve security in any meaningful way if anything it is the inverse. If there was a clear and good replacement it would be another story but as things currently stand this would be a net negative IMO.

Sytten avatar Jan 29 '25 00:01 Sytten

@Sytten as stated earlier, this advisory explicitly shouldn't list serde_yml as a suggested replacement, and instead the advisory can explicitly advise NOT to use serde_yml

tarcieri avatar Jan 29 '25 00:01 tarcieri

On Sytten's point, I think the value add of unmaintained advisories is worth discussion especially as they seem to surface by default these days or so because everyone tends to deny audit warnings and that enables unmaintained informational ones too. @tarcieri do you want a separate issue for that discussion or are you ok with me (and maybe others) writing thoughts here?

BlackHoleFox avatar Jan 29 '25 00:01 BlackHoleFox

This is definitely not the place to debate the value of unmaintained advisories.

I am personally exhausted and very burned out from past debates on this topic, which have included things like Reddit brigading. Rekindling ad hoc debates about the value of unmaintained advisories yet again risks me burning out on the project.

It would be much more helpful to make constructive suggestions about how they can be improved, or if you feel the rationale for their existence is not properly described, helpfully describe what you would like to see.

tarcieri avatar Jan 29 '25 01:01 tarcieri

I've created another PR for this: https://github.com/rustsec/advisory-db/pull/2459

jayvdb avatar Nov 16 '25 02:11 jayvdb