Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adler is archived #1992

Open
jayvdb opened this issue Jul 3, 2024 · 14 comments
Open

adler is archived #1992

jayvdb opened this issue Jul 3, 2024 · 14 comments

Comments

@jayvdb
Copy link
Contributor

jayvdb commented Jul 3, 2024

https://crates.io/crates/adler has a lot of dependents, including https://github.com/rust-lang/backtrace-rs via https://github.com/Frommi/miniz_oxide .

See Frommi/miniz_oxide#148

https://github.com/jonas-schievink/adler was archived around 25 March 2024. Seems most of their repos were also archived.

https://github.com/jonas-schievink last commit was September 2023.

@fintelia
Copy link

fintelia commented Jul 7, 2024

24% of all crates on crates.io transitively depend on adler, but it has only 9 direct dependents. Approximately all indirect dependencies are via miniz_oxide. The adler32-simd crate uses alder as a dev dependency and the other 7 dependents have orders of magnitude fewer downloads.

@smoelius
Copy link
Contributor

smoelius commented Jul 7, 2024

24% of all crates on crates.io transitively depend on adler

@fintelia How did you figure this out?

@dtolnay
Copy link
Contributor

dtolnay commented Jul 7, 2024

You can divide "Used in 35,426 crates" (https://lib.rs/crates/adler) by "150,348 Crates in stock" (https://crates.io).

To see the historical metric, cargo tally --relative --transitive adler

@smoelius
Copy link
Contributor

smoelius commented Jul 7, 2024

Thanks, @dtolnay!

@tarcieri
Copy link
Member

tarcieri commented Jul 7, 2024

24% of all crates on crates.io transitively depend on adler, but it has only 9 direct dependents.

Given that, it would probably make sense to work directly with those 9 crates, perhaps opening an issue if there isn't one already and linking it here, rather than immediately publishing an advisory for this (or at least, wait until it's been fixed upstream so the advisory is actionable, and that action is to update Cargo.lock)

Otherwise, this is going to be a very noisy advisory with little actionable impact aside from those 9 crates, especially as we don't currently have ways of filtering out advisories for transitive dependencies.

@Skgland
Copy link
Contributor

Skgland commented Jul 7, 2024

I think it is of note that of those 9 direct dependants

  • simd-adler32, and pixelmosh have adler only as a dev-dependency
    • pixelmosh only has one dependant which has no dependants itself
  • cargo-attributions, intelligit, emote-psb, zawk, nod, and rxsync have no dependants

this leaves only miniz_oxide with both adler as a normal dependency and with dependants.

@fintelia
Copy link

fintelia commented Jul 8, 2024

I think this will be an interesting test case of whether it always makes sense to issue unmaintained advisories: The adler crate implements a decades old checksum algorithm. It is only a couple hundred lines total, most of which are comments or tests. It has been is heavily tested and fuzzed, uses no unstable features, and contains no unsafe code.

@jayvdb
Copy link
Contributor Author

jayvdb commented Jul 10, 2024

Archived repos effectively cant receive bug reports. Even more so when the owner of the repo appears to have intentionally stopped all activity here, in which case it is preferable to respect their decision and avoid contacting the maintainer except in a critical circumstance.

@oyvindln
Copy link

As the maintainer of miniz_oxide I would be fine with forking it however ideally it would be nice if there was someone besides me that could help out maintaining it and miniz_oxide (or maybe moving it to an org or something). The situation around it is not really ideal at the moment as I'm the only maintainer at the moment as the actual owner of the miniz_oxide repo and other person with access rights has not had any activity since June last year so I don't know if they are even still around.

@tarcieri
Copy link
Member

@oyvindln alternatively you could vendor the relevant code and drop the dependency, since there don’t seem to be that many other users

@oyvindln
Copy link

I guess I'll fork it then - I'd rather keep it separate since there are actually some other active users of it.

@oyvindln
Copy link

oyvindln commented Aug 4, 2024

Okay - I have made a fork called adler2:
https://crates.io/crates/adler2

Will make an update to miniz_oxide soon with a semver bump that updates to using adler2 instead of adler if this looks fine.

@oyvindln
Copy link

oyvindln commented Aug 5, 2024

Also ping @jonas-schievink in case they are still watching github

@oyvindln
Copy link

oyvindln commented Aug 9, 2024

I've now also updated miniz_oxide to use adler2 - so main thing that remains is to update flate2 and backtrace to this version I guess

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants