So say suppose there is a vulnerability/advisory by rust sec, how do we, as crate maintainers go about fixing it?
For context, for a crate I co-maintain, there was a vulnerability and one of the co-maintainers posted it on https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/.
But I feel this may not be the right thing. Any pointers?
we've talked about putting every advisory on Reddit /cc @Shnatsel
seems good to me
Helping make sure folks are running cargo-audit in CI, get github to set notices/PRs, and have the thing that audits crates.io running and causing people to send PRs seems more important than publicizing individual vulns, IMO.
Thanks @Tony Arcieri
Posting vulnerabilities increases visibility for the entire RustSec effort, which is why I suggested them. It is otherwise not particularly discoverable other than through word-of-mouth.
Alerting major dependents directly sounds like a good thing too. https://gitlab.com/zachreizner/crates-audit lets you find all crates affected, including transitive dependents
Also, CI is really not the place to run cargo-audit - it should not block development, but it should prompt you to rebuild all your binaries used in production.
I like running it in CI. Not everything you run in CI necessarily needs to block a merge
but also you could run it on a schedule
So what should be the next step? Yank all affected releases?
there's been a lot of back and forth on that one. I'd personally recommend it, especially for a security vulnerability
some people complain it's too disruptive, but I hope they don't complain it's too disruptive in this case
@DPC Oh yes, yanking all affected releases is a really good idea. If there are some releases that are not semver-compatible with the fixed version and people still use them, backport the fix to that series and make a new release there, then yank everything affected.
The complaints about yanking were for cases when people don't provide a semver-compatible version with the fix