Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2021-0019 - Multiple soundness issues, maintenance status #107

Closed
martin-t opened this issue Oct 24, 2021 · 4 comments
Closed

RUSTSEC-2021-0019 - Multiple soundness issues, maintenance status #107

martin-t opened this issue Oct 24, 2021 · 4 comments
Labels
fixed_by_v1

Comments

@martin-t
Copy link

martin-t commented Oct 24, 2021
edited
Loading

There's an advisory out for XCB. The individual issues appear to be reported here but i don't see any response from you on any of them:

The issue with details also says XCB is unmaintained but i can see commits on a branch from a week ago. Are you still maintaining this crate? If so, would you, please, look at those issues? XCB is (transitively) a dependency of a lot of crates such as egui, conrod, alacritty and rg3d, though i don't know how many use the relevant functions.

I understand maintaining a popular crate is a lot of work and often not even interesting work. Would you be open to spreading the responsibility around a little? Perhaps you could create a Github organization with maintainers of some of these big crates as members if they would be interested. I also usually suggest using Rust Bus.

Finally, since this is a security issue, would you pin it so it receives more attention?

Edit(2021-11-07): One more advisory:
@martin-t martin-t mentioned this issue Oct 24, 2021
Open
10 tasks
@rtbo
Copy link
Collaborator

rtbo commented Oct 25, 2021

Hi. Thanks for this. Indeed over the last few years I couldn't support rust-xcb the way it deserved. There was a call for mainteners in the Readme that I have removed since as I am now able to support actively.
Regarding the safety and soundness issues, these are being dealt with in the PR I'm working on #105 . But it comes with an important API change (basically a complete rewrite of the library) so maybe not ideal to everybody but I think necessary (at least for the soundness aspect).
I'm totally open to spread the maintenance responsibility.
I'm not familiar with the links you pointed and will look at them.

@rtbo rtbo pinned this issue Oct 25, 2021
@rtbo
Copy link
Collaborator

rtbo commented Nov 7, 2021

rust-xcb is now part of the new organization rust-x-bindings.
I plan to move there also toy_xcb and xkbcommon-rs

@rtbo
Copy link
Collaborator

rtbo commented Nov 12, 2021

v1.0.0-beta.0 is released to crates.io. See branch v1.0-dev.
Any comment in the new API, please don't hesitate to voice. Either in this issue or in another one.
You can get a good grasp on the new API from the ReadMe (in the v1.0-dev branch), from the examples, and from the documentation.

@piegamesde piegamesde mentioned this issue Mar 5, 2022
Closed
@rtbo
Copy link
Collaborator

rtbo commented Mar 6, 2022

v1.0.0 is released.

@rtbo rtbo closed this as completed Mar 6, 2022
@rtbo rtbo unpinned this issue Mar 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fixed_by_v1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rtbo @martin-t