but I could call, say, 1.27 the minimum
I'm assuming an abort (not a panic, you cannot catch unwind for aborts) in a library is a vulnerability?
@tarcieri
oh, okay, so it's fine according to rustsec guidelines
rust doesn't really prevent you from panicking, and it's easy to catch unwind in a server application
so, sure, a HTTP request will return error 500 or whatever, but it won't crash the entire server
but sure
as it were I'm in the midst of refactoring some code so it doesn't have to be
RefUnwindSafe
i think it's a great thing that Rust forces you to think about "will my application be in proper state when a panic occurs somewhere"
Hi, I work on a project, where we are trying to aggregate CVEs for many different languages and ecosystems (like PyPi, NPM, Maven etc.). The current approach works by collecting data from various sources and processing them in various ways, but it has many pitfalls due to the lack of clear versioning scheme like semver or backporting fixes to some older versions etc. Anyway, do you have any plans for an automated way in which the RUSTSEC advisories could be submitted? e.g. some Github bot. and, on the other hand, some API/RSS feed for fetching data about the advisories?
It would be nice, it there was a system that could be used across all languages, though I am not sure if that isn't too ambitious.
i'm not sure how to continue from here
didn't want to make it public
that's more or less the "standard" now... I think mostly from people cargo culting what Project Zero does
hi there, considering that most people are importing dependencies without reading their code and that these can contain build script or procedural macros that can compromise one's computer, I was thinking we should maybe provide a sandboxed offline compilation process by default in Cargo (SELinux, Hyper-V APIs, jail). What is your opinion on such a thing?
@tarcieri Do we have an integrated solution in the mean time? Sanboxing without losing integration with IDEs etc.
