starred/hickory-dns
1
0
Fork 0
mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 11:15:54 +03:00
Code Issues 373 Projects Releases 6 Packages Wiki Activity

[GH-ISSUE #2069] Heads-up about filing advisories for the renamed crates #870

New issue
Closed
opened 2026-03-16 00:40:38 +03:00 by kerem · 15 comments
kerem commented 2026-03-16 00:40:38 +03:00
Owner
Copy link

Originally created by @thomaseizinger on GitHub (Oct 18, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2069

Hi!

I discovered that this project has been renamed but dependabot does not know that so it is not going to issue updates for the new crates. Thus, I am in the process of filing "unmaintained" advisories for the old crates and thought you might want to know about that ahead of time :)

Please give your input there in case that is somehow not wanted.

See https://github.com/rustsec/advisory-db/pull/1806.

Originally created by @thomaseizinger on GitHub (Oct 18, 2023). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2069 Hi! I discovered that this project has been renamed but dependabot does not know that so it is not going to issue updates for the new crates. Thus, I am in the process of filing "unmaintained" advisories for the old crates and thought you might want to know about that ahead of time :) Please give your input there in case that is somehow not wanted. See https://github.com/rustsec/advisory-db/pull/1806.
kerem 2026-03-16 00:40:38 +03:00
kerem commented 2026-03-16 00:40:54 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Oct 18, 2023):

I'm not sure if we need or want to create an advisory, and I don't think I'd denote trust-dns crates as unmaintained right now. We can and have posted patches to previous versions when necessary. To be clear, while the name has change, we still have full control and ability to post patches to trust-dns, if those are needed. I'm not sure we need to force everyone to upgrade right now.

What do others think, @djc ?

<!-- gh-comment-id:1767575648 --> @bluejekyll commented on GitHub (Oct 18, 2023): I'm not sure if we need or want to create an advisory, and I don't think I'd denote trust-dns crates as unmaintained right now. We can and have posted patches to previous versions when necessary. To be clear, while the name has change, we still have full control and ability to post patches to trust-dns, if those are needed. I'm not sure we need to force everyone to upgrade right now. What do others think, @djc ?
kerem commented 2026-03-16 00:40:59 +03:00
Author
Owner
Copy link

@thomaseizinger commented on GitHub (Oct 18, 2023):

The default for cargo deny is to issue a warning: https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional

That doesn't force anybody to update unless they explicitly set this to deny.

Perhaps I am misunderstanding something: How do you expect users to know that they are depending on a crate that is only passively maintained? The docs don't mention anything about this rename for example: https://docs.rs/trust-dns-proto.

I just stumbled over this by accident and went ahead to file the advisories to help other people find out about this in an automated way.

<!-- gh-comment-id:1767601299 --> @thomaseizinger commented on GitHub (Oct 18, 2023): The default for `cargo deny` is to issue a warning: https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional That doesn't force anybody to update unless they explicitly set this to `deny`. Perhaps I am misunderstanding something: How do you expect users to know that they are depending on a crate that is only passively maintained? The docs don't mention anything about this rename for example: https://docs.rs/trust-dns-proto. I just stumbled over this by accident and went ahead to file the advisories to help other people find out about this in an automated way.
kerem commented 2026-03-16 00:41:04 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Oct 18, 2023):

Ah, that was an oversight on the docs. I should have included a note in the 0.23.1 release. I do have a notice on https://crates.io/crates/trust-dns-proto

We could publish a 0.23.2 to put the notice there as well.

In terms of unmaintained, I've seen this be disruptive in the past with some other crates, some were warranted, others not. I'm just trying to avoid unnecessary disruption to users as there's no security issue at the moment with the trust-dns crates.

<!-- gh-comment-id:1767604905 --> @bluejekyll commented on GitHub (Oct 18, 2023): Ah, that was an oversight on the docs. I should have included a note in the 0.23.1 release. I do have a notice on https://crates.io/crates/trust-dns-proto We could publish a 0.23.2 to put the notice there as well. In terms of `unmaintained`, I've seen this be disruptive in the past with some other crates, some were warranted, others not. I'm just trying to avoid unnecessary disruption to users as there's no security issue at the moment with the trust-dns crates.
kerem commented 2026-03-16 00:41:09 +03:00
Author
Owner
Copy link

@thomaseizinger commented on GitHub (Oct 18, 2023):

Ah, that was an oversight on the docs. I should have included a note in the 0.23.1 release. I do have a notice on crates.io/crates/trust-dns-proto

We could publish a 0.23.2 to put the notice there as well.

That sounds good.

In terms of unmaintained, I've seen this be disruptive in the past with some other crates, some were warranted, others not. I'm just trying to avoid unnecessary disruption to users as there's no security issue at the moment with the trust-dns crates.

Ultimately your decision :)
The PRs are there at the advisory if you want them merged. Otherwise just let them know they are not wanted so they can get closed.

<!-- gh-comment-id:1767608713 --> @thomaseizinger commented on GitHub (Oct 18, 2023): > Ah, that was an oversight on the docs. I should have included a note in the 0.23.1 release. I do have a notice on [crates.io/crates/trust-dns-proto](https://crates.io/crates/trust-dns-proto) > > We could publish a 0.23.2 to put the notice there as well. That sounds good. > In terms of `unmaintained`, I've seen this be disruptive in the past with some other crates, some were warranted, others not. I'm just trying to avoid unnecessary disruption to users as there's no security issue at the moment with the trust-dns crates. Ultimately your decision :) The PRs are there at the advisory if you want them merged. Otherwise just let them know they are not wanted so they can get closed.
kerem commented 2026-03-16 00:41:14 +03:00
Author
Owner
Copy link

@djc commented on GitHub (Oct 18, 2023):

I think issuing unmaintained advisories would be useful in principle, but I would probably hold off on doing it for a few months to minimize disruption (allowing people to switch organically).

On the other hand, given that it's warn by default, maybe it makes sense to just get this done so people who are looking for it will notice.

<!-- gh-comment-id:1768340696 --> @djc commented on GitHub (Oct 18, 2023): I think issuing unmaintained advisories would be useful in principle, but I would probably hold off on doing it for a few months to minimize disruption (allowing people to switch organically). On the other hand, given that it's `warn` by default, maybe it makes sense to just get this done so people who are looking for it will notice.
kerem commented 2026-03-16 00:41:20 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Oct 18, 2023):

Ok, I've added the notices in #2071.

@djc, that didn't feel like a confident answer on the unmaintained notices. It sounds like you have similar concerns as I do in regards to community disruption. Is there anyone that can answer the default audit behavior so that we can better understand the implications there?

<!-- gh-comment-id:1769296738 --> @bluejekyll commented on GitHub (Oct 18, 2023): Ok, I've added the notices in #2071. @djc, that didn't feel like a confident answer on the unmaintained notices. It sounds like you have similar concerns as I do in regards to community disruption. Is there anyone that can answer the default audit behavior so that we can better understand the implications there?
kerem commented 2026-03-16 00:41:25 +03:00
Author
Owner
Copy link

@thomaseizinger commented on GitHub (Oct 19, 2023):

Is there anyone that can answer the default audit behavior so that we can better understand the implications there?

We run the cargo-audit action with the default configuration:

github.com/libp2p/rust-libp2p@c35c413b3a/.github/workflows/cargo-audit.yml (L6-L13)

This produces warnings on unmaintained crates:

https://github.com/libp2p/rust-libp2p/actions/runs/5981551811/job/16229566931#step:3:12

Which then creates issues to notify you about it:

https://github.com/libp2p/rust-libp2p/issues/3136

cargo deny is similar in that it won't trigger build failures unless you explicitly tell it to.

<!-- gh-comment-id:1769847303 --> @thomaseizinger commented on GitHub (Oct 19, 2023): > Is there anyone that can answer the default audit behavior so that we can better understand the implications there? We run the `cargo-audit` action with the default configuration: https://github.com/libp2p/rust-libp2p/blob/c35c413b3a2987892bc822a9c0c63ae8a56d24d1/.github/workflows/cargo-audit.yml#L6-L13 This produces warnings on unmaintained crates: https://github.com/libp2p/rust-libp2p/actions/runs/5981551811/job/16229566931#step:3:12 Which then creates issues to notify you about it: https://github.com/libp2p/rust-libp2p/issues/3136 `cargo deny` is similar in that it won't trigger build failures unless you explicitly tell it to.
kerem commented 2026-03-16 00:41:30 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Oct 19, 2023):

We run audit with --deny,

github.com/hickory-dns/hickory-dns@bb20324562/justfile (L90-L92)

Which I think will cause build failures when audit warnings are triggered. Based on some past experience here, I think a lot of projects run with the --deny flags passed, which is where some of the churn has come from, at least as I've noticed it in the community.

<!-- gh-comment-id:1769850809 --> @bluejekyll commented on GitHub (Oct 19, 2023): We run `audit` with `--deny`, https://github.com/hickory-dns/hickory-dns/blob/bb203245629f4cc4e7a48861b7d6810c011393c7/justfile#L90-L92 Which I think will cause build failures when audit warnings are triggered. Based on some past experience here, I think a lot of projects run with the `--deny` flags passed, which is where some of the churn has come from, at least as I've noticed it in the community.
kerem commented 2026-03-16 00:41:35 +03:00
Author
Owner
Copy link

@thomaseizinger commented on GitHub (Oct 19, 2023):

Personally, I don't think that is a good CI setting because it could fail your CI based on external factors unrelated to your code. That obviously then creates friction by e.g. stalling PRs if this check is required.

But this is kind of unrelated to the issue at hand.

If you don't want to issue an advisory, I'd suggest you deprecate a core symbol in each crate, point users to the renamed crate and issue that as a patch release. For users interested in updates, dependabot will update their PR which then will issue warnings.

The deprecation approach is more work for you but would be deterministic in regards to users CI runs (assuming they have a lockfile).

<!-- gh-comment-id:1769943576 --> @thomaseizinger commented on GitHub (Oct 19, 2023): Personally, I don't think that is a good CI setting because it could fail your CI based on external factors unrelated to your code. That obviously then creates friction by e.g. stalling PRs if this check is required. But this is kind of unrelated to the issue at hand. If you don't want to issue an advisory, I'd suggest you deprecate a core symbol in each crate, point users to the renamed crate and issue that as a patch release. For users interested in updates, dependabot will update their PR which then will issue warnings. The deprecation approach is more work for you but would be deterministic in regards to users CI runs (assuming they have a lockfile).
kerem commented 2026-03-16 00:41:40 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Oct 19, 2023):

I don't think that is a good CI setting because it could fail your CI based on external factors unrelated to your code

Perhaps, though it also means that you don't get an automatic notice on potentially concerning issues. It's also why we use --deny on clippy for example.

If you don't want to issue an advisory, I'd suggest you deprecate a core symbol in each crate, point users to the renamed crate and issue that as a patch release. For users interested in updates, dependabot will update their PR which then will issue warnings.

I got some feedback from some folks that I think I like, which might be a decent middle ground. Right now the advisory is for all versions. What do you think about constraining it to >= 0.23.1, and then folks audits would only fail when they update their lock files or other builds. I think I like that approach?

<!-- gh-comment-id:1771842604 --> @bluejekyll commented on GitHub (Oct 19, 2023): > I don't think that is a good CI setting because it could fail your CI based on external factors unrelated to your code Perhaps, though it also means that you don't get an automatic notice on potentially concerning issues. It's also why we use `--deny` on clippy for example. > If you don't want to issue an advisory, I'd suggest you deprecate a core symbol in each crate, point users to the renamed crate and issue that as a patch release. For users interested in updates, dependabot will update their PR which then will issue warnings. I got some feedback from some folks that I think I like, which might be a decent middle ground. Right now the advisory is for all versions. What do you think about constraining it to `>= 0.23.1`, and then folks audits would only fail when they update their lock files or other builds. I think I like that approach?
kerem commented 2026-03-16 00:41:45 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Oct 20, 2023):

@djc, what do you think of the above idea?

<!-- gh-comment-id:1773044138 --> @bluejekyll commented on GitHub (Oct 20, 2023): @djc, what do you think of the above idea?
kerem commented 2026-03-16 00:41:50 +03:00
Author
Owner
Copy link

@djc commented on GitHub (Oct 20, 2023):

Sounds good to me!

<!-- gh-comment-id:1773147331 --> @djc commented on GitHub (Oct 20, 2023): Sounds good to me!
kerem commented 2026-03-16 00:41:55 +03:00
Author
Owner
Copy link

@thomaseizinger commented on GitHub (Oct 22, 2023):

Sounds good! Will update the advisories!

<!-- gh-comment-id:1773974177 --> @thomaseizinger commented on GitHub (Oct 22, 2023): Sounds good! Will update the advisories!
kerem commented 2026-03-16 00:42:00 +03:00
Author
Owner
Copy link

@thomaseizinger commented on GitHub (Oct 23, 2023):

Please see the updated PR: https://github.com/rustsec/advisory-db/pull/1806.

<!-- gh-comment-id:1774242336 --> @thomaseizinger commented on GitHub (Oct 23, 2023): Please see the updated PR: https://github.com/rustsec/advisory-db/pull/1806.
kerem commented 2026-03-16 00:42:05 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Oct 25, 2023):

I'm going to close this as I think we came to a decent solution. Thanks for all the input everyone.

<!-- gh-comment-id:1779975842 --> @bluejekyll commented on GitHub (Oct 25, 2023): I'm going to close this as I think we came to a decent solution. Thanks for all the input everyone.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release/0.26
david/conformance-dnssec-negative-tests
query-api
opt-types
cname-nsec
no-cname-recursion
conformance-min-ttl
dname-base
drop-message-request
no-error-queries
cpu-sig0-rm-message-sig_dev
cpu-tsig-test-update_dev
windows-config
dnssec-net
release/0.25
opp-enc-persist
integration-test
cpu-tidying-recursor-opts_dev
happy-eyeballs
david/authoritative-zone-storage-trait
dnssec-ad
no-authority
release/0.24
pvdrz/remove-top-file
pvdrz/h3-handshake-timeout
pvdrz/quic-handshake-timeout
nxdomain-for-recursor
ja-test-merque-queue
ja-fix-ci-again
sz-add-ede-tests
sz-test-tc-bit-with-large-response
sz-fix-tokio-dependency
gh-2275-test-rrsig-signature
refactor-sign-zone-file
fix-1.79-cleanliness
update-nightly-hash
release/0.23
gh-pages
use-just-for-server-toml
release/0.22
revert-1874-cpu-zone-parse-default-class
disable-bind-compatibility-tests
disable-test_tls_client_stream_ipv4
update-native-tls-0.2.11
recursor-tests
fix-clippy-self
release/0.20
saethlin-fix-rdata-zero
release/0.19
flat_name
drop_unused_futures
release/0.18
release-r0.12-cs0.17
release/r0.12-cs0.17
trust-dns-book
r0.10
test-connections-not-dropped
fix_exec_status_on_rs_files
release-0.9
add-mutex-to-integration-tests
0.8_release
bfry/dns-crypt
v0.26.0
v0.26.0-beta.4
v0.26.0-beta.3
v0.26.0-beta.2
v0.26.0-beta.1
v0.26.0-alpha.1
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.25.0-alpha.5
v0.24.2
v0.25.0-alpha.4
v0.25.0-alpha.3
v0.25.0-alpha.2
v0.25.0-alpha.1
v0.24.1
v0.23.2
v0.24.0
v0.23.1
v0.23.0
v0.23.0-alpha.5
v0.23.0-alpha.4
v0.23.0-alpha.3
v0.22.1
v0.23.0-alpha.2
v0.23.0-alpha.1
v0.22.0
v0.21.2
v0.21.1
v0.21.0
v0.21.0-alpha.5
v0.20.4
v0.21.0-alpha.4
v0.21.0-alpha.3
v0.21.0-alpha.2
v0.21.0-alpha.1
v0.20.3
v0.20.2
v0.20.1
v0.19.7
v0.20.0
0.19.6
v0.20.0-alpha.3
v0.20.0-alpha.2
v0.20.0-alpha.1
0.19.5
0.19.4
0.19.3
0.19.0
0.18.1
0.18
0.18.0.alpha.2
r0.12_cs0.17
r0.11.1
cs0.16.1
r0.11
cs0.16
r0.10.1
r0.10.0
cs0.15.0
r0.9.1
v0.14.0
r0.9.0
r0.8.1
r0.8.0
v0.13.0
r0.7.0
c0.12.0
r0.6.0
r0.5.0
resolver.0.4.0
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.1
0.8.0
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.3
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels   
blocked

   
breaking-change

   
bug

   
bug:critical

   
bug:tests

   
cleanup

   
compliance

   
compliance

   
compliance

   
crate:all

   
crate:client

   
crate:native-tls

   
crate:proto

   
crate:recursor

   
crate:resolver

   
crate:resolver

   
crate:rustls

   
crate:server

   
crate:util

   
dependencies

   
docs

   
duplicate

   
easy

   
easy

   
enhance

   
enhance

   
enhance

   
feature:dns-over-https

   
feature:dns-over-quic

   
feature:dns-over-tls

   
feature:dnsssec

   
feature:global_lb

   
feature:mdns

   
feature:tsig

   
features:edns

   
has workaround

   
ops

   
perf

   
platform:WASM

   
platform:android

   
platform:fuchsia

   
platform:linux

   
platform:macos

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
test

   
tools

   
tools

   
trust

   
unclear

   
wontfix
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#870
No description provided.