fix: RUSTSEC-2020-0071 #3150
fix: RUSTSEC-2020-0071 #3150
Conversation
hanabi1224
requested review from
sffc,
robertbastian,
Manishearth,
filmil and
a team
as code owners
|
|
| @@ -3387,17 +3484,6 @@ version = "0.2.0" | |||
| source = "registry+https://github.com/rust-lang/crates.io-index" | |||
| checksum = "3bf63baf9f5039dadc247375c29eb13706706cfde997d0330d05aa63a77d8820" | |||
|
|
|||
| [[package]] | |||
| name = "time" | |||
There was a problem hiding this comment.
time v0.1 removed
|
Not a fan of |
provider/datagen/Cargo.toml
Outdated
| syn = {version = "1.0", features = ["parsing"] } | ||
| tinystr = { version = "0.7.1", path = "../../utils/tinystr", features = ["alloc", "serde", "zerovec"], default-features = false } | ||
| toml = "0.5" | ||
| writeable = { version = "0.5.1", path = "../../utils/writeable" } | ||
| zerovec = { version = "0.9.2", path = "../../utils/zerovec", features = ["serde", "yoke"] } | ||
| zip = { version = "0.5", default-features = false, features = ["deflate"] } | ||
| zip = { version = "0.6", default-features = false, features = ["deflate"] } |
There was a problem hiding this comment.
I'd rather not update zip to 0.6 just yet since we're trying to keep dependencies in sync with other places.
There was a problem hiding this comment.
zip 0.5 depends on time 0.1, which is the root cause of this rustsec issue
There was a problem hiding this comment.
We are not using zip with that feature enabled
There was a problem hiding this comment.
If you would like to, you can add a comment to the dependency allowlist for zip as used by datagen and mention that the list should never contain time unless zip is 0.6.
There was a problem hiding this comment.
Another thing that would be fine is using a range dep: ">=0.5.0, <0.7.0"; basically I do not want to lose the ability to use zip 0.5
There was a problem hiding this comment.
zip v0.6 is also one of the dependencies of cached-path v0.6.1, a range dep >=0.5.0, <0.7.0 does not change the version resolution tho
There was a problem hiding this comment.
cached_path can also get a range, then
There was a problem hiding this comment.
It should be possible to use ICU4X with zip 0.5, basically.
Again, all of this is moot for the time vuln: we're not using zip with that feature enabled
There was a problem hiding this comment.
Ah, i guess cached-path does, which is a bit of a bummer
|
Also this fails MSRV
|
hanabi1224
force-pushed
the
fix-rustsec-2020-0071
branch
from
d3203e2 to
f87a6c1
Compare
|
Notice: the branch changed across the force-push!
~ Your Friendly Jira-GitHub PR Checker Bot |
@Manishearth Correct me if I'm wrong but I think to achieve the MSRV rule, versions of IMHO, to properly test MSRV for a lib crate, it needs to build a crate that depends on this lib without |
|
No, it is sufficient to pin it in the lockfile here. A crate that depends on this will not build with rust 1.61 out-of-the-box, but they can fix this themselves as needed in their own lockfile, it's a pretty normal workflow. While some high-profile crates do guarantee MSRV for themselves and their dependencies, by and large the community does not do this as it usually involves a lot of coordination, and library authors often do not appreciate being asked to sign up for an MSRV because their dependents wish to do so. There are issues open to make Cargo dependency resolution take msrv into account, and most library authors seem to be holding out for that. We achieve an approximation of the out-of-the-box property by having a relatively small number of external dependencies on the main ICU4X crates. If a lockfile pin was needed for a dependency of a main ICU4X crate (not datagen) it would give me some pause, but that's not the case here. We do plan on adding lockfile tests (minimal/maximal versions) and probably will add an MSRV test scoped for the core ICU4X crate. Datagen is a bit special since we don't actually care as much about MSRV there especially in the binary mode. We test it because it's easier to test everything than to test a subset and then accidentally missing stuff, and we do care about MSRV a little bit for library mode (but not enough to want to maintain the out-of-the-box property, datagen is mostly a build time dep for people if they use it via Cargo at all, which is somewhat rare). |
The MSRV CI matters because it means that users have the option to build with MSRV. They are not our only users, there will be users who do not care about MSRV but do have newer versions of a crate in their deptree, and we disadvantage them by forcing multiple versions of a crate (which Cargo can often handle, but sometimes it breaks other things). It's a tradeoff without a single clear answer. |
|
Regarding |
|
(As to why I don't mind that cached-path depends on zip: cached-path is a feature that can be disabled and is not relevant in the context where I need zip 0.5) |
|
@Manishearth fixed as u suggested |
| @@ -77,7 +77,7 @@ tinystr = { version = "0.7.1", path = "../../utils/tinystr", features = ["alloc" | |||
| toml = "0.5" | |||
| writeable = { version = "0.5.1", path = "../../utils/writeable" } | |||
| zerovec = { version = "0.9.2", path = "../../utils/zerovec", features = ["serde", "yoke"] } | |||
| zip = { version = "0.6", default-features = false, features = ["deflate"] } | |||
| zip = { version = ">=0.5, <0.7", default-features = false, features = ["deflate"] } | |||
There was a problem hiding this comment.
you should also cargo update -p zip to get the new version so that the time 0.1 dep disappears from the lockfile
There was a problem hiding this comment.
and cached-path as well
I'm fine maintaining the property that time 0.1 isn't in our lockfile, even if clients will have the opportunity to use older crates.
There was a problem hiding this comment.
Sure but again the lock file does not effect the crate user, I thought it would be easier for u to keep it 0.5 while I can upgrade to 0.6 if that's preferable
There was a problem hiding this comment.
Yes, I understand how lockfiles work.
"A crate with a vulnerability is not in the lockfile" is easy for tooling to check and maintain, even though it doesn't mean we've completely excised the dep from all theoretical dependency chains.
And like I said clients needing to stick to zip 0.5 can, because we are giving them the flexibility.
Ultimately dependency management is something that the application developer at the end of the dependency tree must do: as library authors we can make the job easy for them by reducing deps and keeping things flexible, but different people have different needs and we cannot guess those as library authors. Some people care about MSRV. Others have vendored crates and want to stick to those versions as much as possible. Different people have different security stances around vulnerabilities.
You're seeing the confluence of a bunch of different requirements here.
There was a problem hiding this comment.
@Manishearth time v0.1 is now removed from Cargo.lock
There was a problem hiding this comment.
Because a lot of larger projects (for example Firefox, but there's also stuff in Google) vendor their dependencies, and also care about auditing dependencies. If they already have zip 0.5 they may prefer to stick to that. This is what I meant by "we're trying to keep dependencies in sync with other places": new dependencies are additional overhead for some people, and allowing users the flexibility to avoid that is good.
Not everyone is okay with a bloated dependency tree with multiple versions of the same crate. Different people have different needs and tradeoffs. Not every user of ICU4X is even using Cargo to drive the build.
There was a problem hiding this comment.
I think it's the best to use mono repo and workspace dependencies to avoid duplicate crates in dependency tree. For isolated crate repos it adds unnecessary and unmanageable maintenance burden. Anyways thanks for the review!
There was a problem hiding this comment.
........ yes, precisely, that's my point. We have clients that use monorepos. They would like to avoid duplicate crates, and they would like to avoid having to patch ICU4X's dep spec (or have to figure out when our dependencies are malleable). Expressing that flexibility with range deps helps.
We cannot use a dependency-vendored monorepo because ultimately we are a library and have multiple clients. We aren't trying to avoid duplicate crates, but we are trying to ensure that we do not force duplicate crates onto clients as much as possible.
This is a perfectly manageable maintenance burden for us. Aside from datagen, ICU4X has a low number of dependencies, and even datagen has a manageable number of dependencies if built in certain modes, and we have tests ensuring that.
There was a problem hiding this comment.
Arguably, as a lib crate I think the CI needs to cover all combinations of zip, cached-path versions. And if more crate more versions are added the num of combinations soon become 'unmanageable'
There was a problem hiding this comment.
As I said already, we do have plans for minimal/maximal version testing, and hope to do an MSRV test with minimal/maximal versions for a subset of the project (so, not datagen, would not affect zip/cached-path). Currently we achieve some of these properties to an acceptable level by having very few dependencies on the main part of the project.
There are diminishing returns after you have minimal/maximal testing.
And ultimately it is normal in the Rust community for applications to run a bunch of cargo update --precises if they have specific additional constraints for their dependencies.
…2685) After this, we are still waiting for `indexmap` & `dashmap` to provide the new `hashbrown` to reduce duplicate dependencies, and for `criterion` to remove `clap` and release a new version. We're also waiting for a new version of `icu_datagen` that bumps the `zip` dependency to avoid a potential vulnerability. Ideally, they would also bump the `simple_logger` dependency, which is pretty outdated. In any case, `simple_logger` still uses an unmaintained `atty` dependency. Relevant issues: - xacrimon/dashmap#250 - unicode-org/icu4x#3150 - bheisler/criterion.rs#599 - borntyping/rust-simple_logger#74
This PR tries to fix https://rustsec.org/advisories/RUSTSEC-2020-0071 by removing
time 0.1from dependency tree