#RUSTSEC-2025-0007 ring unmaintained — Page 1

stable arrow Feb 22, 2025, 1:20 PM

Immediately, anyone can use features to change the backend they use.

somber lance Feb 22, 2025, 1:20 PM

sure

but that doesn't make the cargo-audit/cargo-deny stuff go away, I think?

which historically most people will want

stable arrow Feb 22, 2025, 1:21 PM

I don't think it will

It's unfortunate they mix unmaintained with vulnerabilities, but I can't change that

I did eventually assume we'd change the default backend in reqwest

I was mostly concerned with whether a patch version upgrade would mean environments could no longer compile because of a missing build dep

somber lance Feb 22, 2025, 1:23 PM

sure

stable arrow Feb 22, 2025, 1:23 PM

I recall a conversation at rust conf that that was getting better

And well, now it seems like a shrug

somber lance Feb 22, 2025, 1:24 PM

we're hoping we can get the advisory retracted by providing security-only maintenance for ring

stable arrow Feb 22, 2025, 1:24 PM

Gotta deal with it

somber lance Feb 22, 2025, 1:26 PM

anyway, happy to review/advise on any changes in this area 👍