RUSTSEC-2019-0031: spin is no longer actively maintained #2189

github-actions · 2020-03-09T00:11:38Z

spin is no longer actively maintained

Details
Status	unmaintained
Package	`spin`
Version	`0.5.2`
URL	mvdnes/spin-rs@`7516c80`
Date	2019-11-21

The author of the spin crate does not have time or interest to maintain it.

Consider the following alternatives (both of which support no_std):

conquer-once
lock_api (a subproject of parking_lot)

See advisory page for additional details.

The text was updated successfully, but these errors were encountered:

We don't use these features and they bring in unmaintained dependencies: #2189

thomaseizinger · 2020-03-09T03:14:35Z

Output of cargo tree:

❯ cargo tree -i -p spin                                                                                                                                                                                                            thomas@thomas-ThinkPad-T480
spin v0.5.2
└── ring v0.16.11
    ├── libp2p-core v0.16.0
    │   ├── libp2p v0.16.2
    │   │   ├── cnd v0.6.0 (/home/thomas/src/github.com/comit-network/comit-rs/cnd)
    │   │   └── libp2p-comit v0.1.0 (/home/thomas/src/github.com/comit-network/comit-rs/libp2p-comit)
    │   │       └── cnd v0.6.0 (/home/thomas/src/github.com/comit-network/comit-rs/cnd) (*)
    │   ├── libp2p-deflate v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-dns v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-floodsub v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-gossipsub v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-identify v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-kad v0.16.2
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-mdns v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-mplex v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-noise v0.16.2
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-ping v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-plaintext v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-secio v0.16.1
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-swarm v0.16.1
    │   │   ├── libp2p v0.16.2 (*)
    │   │   ├── libp2p-floodsub v0.16.0 (*)
    │   │   ├── libp2p-gossipsub v0.16.0 (*)
    │   │   ├── libp2p-identify v0.16.0 (*)
    │   │   ├── libp2p-kad v0.16.2 (*)
    │   │   ├── libp2p-mdns v0.16.0 (*)
    │   │   └── libp2p-ping v0.16.0 (*)
    │   ├── libp2p-tcp v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-uds v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-wasm-ext v0.16.2
    │   │   └── libp2p v0.16.2 (*)
    │   ├── libp2p-websocket v0.16.0
    │   │   └── libp2p v0.16.2 (*)
    │   └── libp2p-yamux v0.16.2
    │       └── libp2p v0.16.2 (*)
    ├── libp2p-secio v0.16.1 (*)
    ├── rustls v0.16.0
    │   ├── async-tls v0.6.0
    │   │   └── libp2p-websocket v0.16.0 (*)
    │   └── libp2p-websocket v0.16.0 (*)
    ├── sct v0.6.0
    │   └── rustls v0.16.0 (*)
    ├── snow v0.6.2
    │   └── libp2p-noise v0.16.2 (*)
    └── webpki v0.21.2
        ├── async-tls v0.6.0 (*)
        ├── libp2p-websocket v0.16.0 (*)
        ├── rustls v0.16.0 (*)
        ├── webpki-roots v0.17.0
        │   └── async-tls v0.6.0 (*)
        └── webpki-roots v0.18.0
            └── libp2p-websocket v0.16.0 (*)

spin is only brought in by ring. Work is already in progress to remove that dependency here: https://github.com/briansmith/ring/pull/924/files

Once that is merged, we will need to wait for libp2p to update the newest version of ring. Given that libp2p is currently tracking the latest one, I would assume they will update fast.

We also need snow to update to the latest version of ring. Alternatively, if libp2p/rust-libp2p#1467 lands anytime soon, we can opt-out of the noise feature and hereby remove snow from our dependency tree.

2194: Remove libp2p-websocket and secp256k1 dependencies r=mergify[bot] a=thomaseizinger We don't use these features and they bring in unmaintained dependencies: #2189 Co-authored-by: Thomas Eizinger <[email protected]>

D4nte · 2020-03-09T06:02:49Z

We also need snow to update to the latest version of ring. Alternatively, if libp2p/rust-libp2p#1467 lands anytime soon, we can opt-out of the noise feature and hereby remove snow from our dependency tree.

What would libp2p use for encryption and authentication instead of snow?

thomaseizinger · 2020-03-09T06:39:38Z

We also need snow to update to the latest version of ring. Alternatively, if libp2p/rust-libp2p#1467 lands anytime soon, we can opt-out of the noise feature and hereby remove snow from our dependency tree.

What would libp2p use for encryption and authentication instead of snow?

We currently use the secio module of libp2p. secio does not depend on snow.

bonomat · 2020-03-09T22:58:51Z

Am I understanding it correctly that there is nothing to do for us?

thomaseizinger · 2020-03-09T23:19:50Z

Am I understanding it correctly that there is nothing to do for us?

There is nothing we can do (yet) yes.

github-actions · 2020-04-09T00:01:25Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

da-kami · 2020-04-16T06:05:41Z

Seems this PR might never leave draft, from the advisory page:

The author of the spin crate does not have time or interest to maintain it.

Consider the following alternatives (both of which support no_std):

conquer-once
lock_api (a subproject of parking_lot)
spinning_top spinlock crate built on lock_api

We might have to tackle this different than waiting. @thomaseizinger

github-actions · 2020-05-16T07:02:05Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions · 2020-06-15T13:01:12Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

thomaseizinger added the 🚨 security label Mar 9, 2020

thomaseizinger added a commit that referenced this issue Mar 9, 2020

Remove libp2p-websocket and secp256k1 dependencies

645cc97

We don't use these features and they bring in unmaintained dependencies: #2189

thomaseizinger mentioned this issue Mar 9, 2020

Remove libp2p-websocket and secp256k1 dependencies #2194

Merged

github-actions bot added the no-activity label Apr 9, 2020

thomaseizinger removed the no-activity label Apr 9, 2020

github-actions bot added the no-activity label May 16, 2020

thomaseizinger removed the no-activity label May 16, 2020

github-actions bot added the no-activity label Jun 15, 2020

github-actions bot closed this as completed Jun 22, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RUSTSEC-2019-0031: spin is no longer actively maintained #2189

RUSTSEC-2019-0031: spin is no longer actively maintained #2189

github-actions bot commented Mar 9, 2020

thomaseizinger commented Mar 9, 2020

D4nte commented Mar 9, 2020

thomaseizinger commented Mar 9, 2020 •

edited

Loading

bonomat commented Mar 9, 2020

thomaseizinger commented Mar 9, 2020

github-actions bot commented Apr 9, 2020

da-kami commented Apr 16, 2020

github-actions bot commented May 16, 2020

github-actions bot commented Jun 15, 2020

RUSTSEC-2019-0031: spin is no longer actively maintained #2189

RUSTSEC-2019-0031: spin is no longer actively maintained #2189

Comments

github-actions bot commented Mar 9, 2020

thomaseizinger commented Mar 9, 2020

D4nte commented Mar 9, 2020

thomaseizinger commented Mar 9, 2020 • edited Loading

bonomat commented Mar 9, 2020

thomaseizinger commented Mar 9, 2020

github-actions bot commented Apr 9, 2020

da-kami commented Apr 16, 2020

github-actions bot commented May 16, 2020

github-actions bot commented Jun 15, 2020

thomaseizinger commented Mar 9, 2020 •

edited

Loading