-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop dependency on futures-intrusive #1668
Comments
There's async-lock which would be an okay replacement, although the current implementation of It wouldn't be super difficult to fix that, as it's just a workaround for the fact that we need an Dropping |
I guess the |
We could also just roll our own semaphore, basically just re-implement |
What I was thinking with tokio is that if their EDIT: never having been interested in async-std I don't mind the nuclear option of ripping it out though |
Getting rid of async-std would simplify a lot of things so I've opened #1669 to discuss it. |
Actually, |
Ah, I scanned right past that method because I was looking for one with |
If we keep async-std support, however, there is potential pushback from requiring Tokio, since importing it just for |
@abonander After acquiring a semaphore permit, you can Also, if you find API gaps, please report them. We are always happy to fill those gaps when possible. |
As the author of futures-intrusive, I can tell you that its pretty much the same as tokio's implementation. Both will use intrusive linked lists, and apparently there's some theoretical issues with those which don't manifest itself anywhere in pratice. It apparently works fine for you in pratice, so I don't think there's any downside in keeping it. However if you want to go tokio-only anyway and reduce dependencies, it probably makes sense. |
Yeah, for the record, Tokio appears to have the same soundness issue: tokio-rs/tokio#3399
|
Since the underlying soundness concern seems to be just a bad interaction between how |
@Matthias247 I am somewhat concerned, however, about the maintenance status of I myself have a number of crates that I've just kind of forgotten about and haven't had the energy to maintain, so I understand if that's where you're coming from, but since SQLx is deployed in mission-critical applications I don't want to have a bit-rotting dependency to worry about. |
@abonander What is your current stance on dropping |
@abonander Hello fren, any updates on this? I'm getting dinged with criticals from RustSec advisory about the |
@abonander Any updates? |
The crate seems to be unmaintained and unsound:
Alternatives:
Semaphore
sThe text was updated successfully, but these errors were encountered: