bascule
November 15, 2021, 2:45pm
30
mtrantalainen:
This is a good question. I think the best way forward would be to allow cargo authors to retroactively specify old versions as broken. That way when crate version 0.22.2 is published, it (the version 0.22.2) would include metadata that version 0.22.1 (or any other older version) is broken with a message "Security vulnerability: RUSTSEC-2021-0119".
This is basically what yanking is for, although it'd be nice if authors who are yanking crates could include a reason for yanking, e.g. a security vulnerability
Ok, so, after thinking about this for awhile, I have a new proposal. How about the thing @alexcrichton suggested 3 years ago that the core team keeps telling us we should consider? @alexcrichton !
So how about this: each cargo yank event has associated metadata, in the form of a TOML file. If we allow this data to be mutable, it can be backā¦
6 Likes