I'm going to make a bold suggestion: cargo yank
should be deprecated and eventually removed.
The rationale is the following:
- Cargo yank is very difficult to use without being very disruptive to downstream users. And there have been many examples of such disruption.
- Cargo yank doesn't actually do what many crate maintainers think it does. It often has secondary effects that they don't anticipate.
- Cargo audit, and the rustsec advisory repo, are a superior solution to this problem. We should get rid of cargo yank, and tell maintainers to file rustsec advisories against crate versions with security problems. For crate versions that don't have security problems, there is little rationale to yanking them.
-
The oldest example of ecosystem disruption is most likely Why were all versions prior to 0.14 of this crate yanked? · Issue #774 · briansmith/ring · GitHub. I posted another post about frustration with yanking 4 years ago: https://www.reddit.com/r/rust/comments/ctayew/rust_crypto_developers_please_stop_the_yanking/
-
Many maintainers seem to think that, yanking a crate will force users to update. But of course this is not exactly the case. Anyone with the yanked crate in their cargo lock will still be able to use it, so many projects may continue to use the yanked version. Any projects that don't have a cargo lock committed, may now be unbuildable without changes, but this may very from user to user depending on if they have a cargo lock in their local checkout already. So it is very hard to predict how many of your users will actually notice the yank and do anything.
Many maintainers seem to think of yanking as an "undo button". For example, if you screwed up your release and your crate doesn't build in some configuration, surely you should yank it after you publish the new version. But if we think about it, this doesn't really make sense either. Users who encounter build problems can easily update to the latest version of your crate to try to fix it, likely even a cargo update
would fix it if you make a new patch release. But users who depend on dependencies that depend on your previous version, may not be able to build at all without coordinating with those maintainers, or forking the packages that depended on you. So we just traded one form of build breakage for another, harder-to-solve form of build breakage.
Additionally, if I have a rust library and I do not commit it's cargo.lock file to the repo, (which is the recommended practice FAQ - The Cargo Book), yanking crates may break my ability to use git bisect
to debug my library. This is because if I go far enough back in time to a point where somewhere in my dependency there are yanked crates, cargo may not be able to build my library at all, even if it once could. I could try to compensate for this by committing cargo.lock anyway, but this has other downsides as explained in the FAQ.
- Most of the time when an important crate is yanked, the result is github issues that ask "why was this crate yanked?" This is because yanking doesn't have a place for maintainers to explain the rationale, and there's no way for users to look it up.
cargo audit
and the rustsec advisories fix this.
If we made cargo yank
instead return a message "cargo yank is being deprecated, please file a rustsec advisory instead, which your users discover by using cargo audit
. If there is not a security problem, please just publish a new patch version.", it will have a number of benefits:
- Way more people would use the cargo audit tools and report rustsec advisories. That's great because these are great, well thought-out tools.
- Users would be able to easily get information to understand what the problem is with the crate, which they can't do with cargo yank.
- Cleanly separate "cargo build" from the issue of security advisories. It is very important to learn about security advisories when preparing for a software release process, but for development and testing, it is more important for developers to have precise control over what is built. Building old software is not bad, and may be necessary if using git bisect to investigate a bug. Even if security issues were discovered much later, preventing them from building in order to run tests may prevent them from doing their job. Releasing old software is bad, and that's the stage at which we need to discover outdated / broken dependencies.