Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address RUSTSEC-2021-0124 #2830

Closed
djmitche opened this issue May 30, 2022 · 8 comments
Closed

Address RUSTSEC-2021-0124 #2830

djmitche opened this issue May 30, 2022 · 8 comments

Comments

@djmitche
Copy link
Collaborator

This is a vulnerability in tokio, which is required by Actix-web. For the moment, let's ignore it, and then decide whether to upgrade actix to suit, or switch to a different (simpler) web server package.

@djmitche djmitche self-assigned this May 30, 2022
@djmitche
Copy link
Collaborator Author

djmitche commented Jun 1, 2022

It looks like the audit-check action does not support --ignore, so for the moment it might be best to just disable this check. We can re-enable it either when this advisory is addressed (by actix-web) or after switching to another web framework.

@djmitche
Copy link
Collaborator Author

djmitche commented Jul 4, 2022

Hm, audit-check appears unmaintained. I've pinged the maintainer, but if no response then we might need to fork that action.

@djmitche
Copy link
Collaborator Author

@tbabej ok if I fork that to the GothenburgBitFactory org or should I do it to djmitche?

@tbabej
Copy link
Member

tbabej commented Jul 11, 2022

Forking under the org is fine with me!

@pinkforest
Copy link

pinkforest commented Aug 6, 2022

Hi lovelies, feel free to PR link to the fork here: https://github.com/rust-secure-code/projects 💜

Or.. maybe we could adopt it under rust-secure-code / rustsec ? -

I've asked others whether this is something we could do: rust-secure-code/wg#46

@djmitche
Copy link
Collaborator Author

djmitche commented Aug 6, 2022

I just noted in #2903 that the fork doesn't actually add any value over upstream. But this does seem to be a fairly "important" rust-security-related action, so I'd vote to include it in a collective org like rust-secure-code.

@pinkforest
Copy link

Cool. There is also cargo-deny alternatively e.g.:
libp2p/rust-libp2p#2803

But I'll see the feasibility of whether we can adopt this in the meantime

@djmitche
Copy link
Collaborator Author

This has been resolved in other repos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants