smallcircles (Humanity Now 🕊)
To vendor or to fork? That is the question.
Since #Rust Crates.io started giving #RUSTSEC warnings on the unmaintained status of #yaml-rust library, there's a bit of a panic, not in the least because 1,000's of crates depend on it.
This article by the maintainer of Insta snapshot testing tool gives a nice analogy to Collateralized Debt Obligations (CDO's) with considerations on whether you should fork or might vendor the lib.
silverpill
@smallcircles I've read the article but still don't understand what the fuss is about. Looks like Github is harassing open source developers for no reason.
silverpill
@smallcircles As far as I can tell yaml-rust does what it is supposed to do and there are no known security vulnerabilities. The author published this code under open source license and moved to other things. Everyone was happy...
Until someone from RustSec published this advisory because they believe that software gets insecure if it doesn't change
smallcircles (Humanity Now 🕊)
It is not Github that is at fault. It is #Rust projects that have a dependency on yaml-rust and - via Github Actions - see CI reporting a message from RUSTSEC. Here's that advisory:
https://rustsec.org/advisories/RUSTSEC-2024-0320.html
The advisory in turn contains a reference to a yaml-rust issue about the unmaintained status, which is why you see all the cross-links in it:
076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.
All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.