Notification is the means, and weeding out vulnerable crates is the goal/motivation. I've updated the section here: Update motivation · untitaker/rfcs@5a06156 · GitHub
The idea behind that behavior is: Better mark too many crates as vulnerable than too few. I imagine that enumerating every single concrete version that has been vulnerable to be either tedious or error-prone, or both (i.e. I could imaging to forget a specific bugfix release in my enumeration because I forgot that it existed).
The workflow I imagined is:
- Run
cargo advisorywithout any args. - Edit out the versions that are not affected in the advisory file and submit
- Release new versions that are not vulnerable.
What about a hybrid? Try to use $EDITOR if it exists (don't fiddle around much with fallbacks such as trying a set of common editor names like it is sometimes done), dump a file if it doesn't.
I don't know how the situation looks under Windows, but under POSIX it appears fairly easy once you've found an appropriate editor command. Terminal settings e.g. are supposed to be restored by the editor.
Here we go: Allow optional keys to be absent · untitaker/rfcs@fa78731 · GitHub
This has been proposed at [pre-RFC] Security advisories as part of crates.io metadata - #6 by troplin
I feel like those situations are not comparable as deprecations are much more common (by orders of magnitude!) than security advisories. I simply don't expect advisories to be so common such that developers would be conditioned to ignore them.
I would agree that the "regardless of whether this package is already compiled, downloaded, ..." part is too disruptive though.
@bascule suggested to create an option that makes warnings errors instead. Is that more acceptable? Note my follow-up questions in that thread for which I haven't found a good answer:
I mean "any vulnerable version that matches the version requirements", see also [pre-RFC] Security advisories as part of crates.io metadata - #10 by lifthrasiir
I don't know what you mean by this. Are you saying that allow-vulnerable should affect behavior of publish? This is already my intention.