NOTE: Apologies in advance as I think this is bordering on what actually counts as "rust-internals", and is more of a general community management topic as it related to the crates.io ecosystem. That said, I feel this forum is closer to the audience I'm seeking feedback from than http://users.rust-lang.org
I posted a proposal to the RustSec issue tracker I'm attempting to solicit feedback from. The core idea:
Enable crate maintainers to notify downstream users that their crate is unmaintained (and provide recommendations for alternatives, or solicit new maintainers) using
cargo-audit and the RustSec Advisory Database.
Full proposal here:
I mention this because I've observed a number of widely utilized core infrastructure crates in the Rust ecosystem which are presently unmaintained. And when I say "unmaintained", I mean their authors are opening issues like "Looking For Maintainers (LFM)", which is presently the case for the
term crate which is used for a number of foundational Rust ecosystem tools including but not limited to Cargo:
Goals in a nutshell:
- Increase awareness when crates are unmaintained
- Help maintainers who want to hand off important crates find new maintainers
- If they can't accomplish the above, provide a communication channel for maintainers of crates to recommend their preferred alternatives
- Create a central visibility point for unmaintained crates and when ownership is being transferred
The tl;dr: implementation would be to allow crate maintainers to submit an
unmaintained.toml file to https://github.com/rustsec/advisory-db, which would be consumed by cargo-audit, which can emit warnings (with a flag to optionally make them an error) when there are unmaintained crates detected in Cargo.lock.
Curious what people think of this idea.