rand_os was deprecated 5.5 years ago - crates.io still reports many daily downloads

[paolobarbolini]

As explained by the readme, rand_os was deprecated 5.5 years ago. The high number of downloads on crates.io shows many private projects (reverse dependencies show a very low number of downloads at https://lib.rs/crates/rand_os/rev) may still be using it. Would it make sense to have an advisory about this?

[tarcieri]

Yes that sounds like a good idea cc @dhardy

[dhardy]

The crate was deprecated because functionality was rolled into rand_core in v0.6. The fact that people are still using this indicates that they are using an old version of rand_core (and presumably rand).

According to the download stats, the vast majority are for 0.1.3 which isn't even the latest version of rand_os (0.2.2 using rand_core v0.4). Why exactly this is I don't know but the top three reverse dependencies (by downloads) appear to be related to the same project, which (according to cardano-serialization-lib source) is still using v0.1 of rand_os (while also depending on rand v0.8, which uses rand_core v0.6 and therefore provides OsRng itself). It may therefore be a single high-profile project responsible for the vast majority of these downloads.

Whether or not you decide to issue an advisory because of high usage of an old crate version I'll leave up to you.

CC @newpavlov @josephlr

[newpavlov]

I think we can release an empty rand_os v0.3 with a deprecation notification pointing users to rand_core::OsRng. rand_core v0.2 then would be shown as an outdated dependency (e.g. during cargo update), so direct users would have a chance to learn about the crate deprecation.

I don't think rand_os has any security issues per se.