Release 0.16.20 and earlier are completely unmaintained and have been for years #2450
Replies: 3 comments
-
|
The advisory-db discussion about this is at rustsec/advisory-db#2239. I hope we can discuss it here and then move forward with the advisory over there. My goal here is avoid thinking about ring 0.16.20 and earlier ever again, after this discussion. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
An advisory that only affects 0.16.x (and older) seems like the right solution. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I've filed the advisory: rustsec/advisory-db#2241. |
Beta Was this translation helpful? Give feedback.
0 replies
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
-
Every once in a while, somebody files an issue regarding ring 0.16.20 or sometimes even earlier versions. My boilerplate response is that they should upgrade to the latest release (0.17.12 as of today). ring 0.16.20 was released over four whole years ago so nobody should be using it. I think some people may have stuck with it because another project released another crate that is "API compatible" with ring 0.16.20 but never released one compatible with 0.17.*. Now the 0.16.20 release and earlier releases seem like a huge liability. I have been told it is possible to mark 0.16.20 and earlier as "unmaintained" in the advisory DB and that's what I'd like to do.
Thoughts?
Beta Was this translation helpful? Give feedback.
All reactions