"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > I was one of the maintainers for Git LFS for several years. We > routinely had people come to us and say, "This dependency you're using > has a portion that you're not using, which has a CVE. I demand you > update it and do a new release immediately because our security scanner > is going off and our company policy is that there be no exceptions." > This happens literally all the time and I absolutely in no case want to > see those people on this list or the security list. Ahh, the kind we love not to have. > So the options as I see them are (a) we don't check in Cargo.lock, (b) > we convince the Rust project and the ecosystem to provide LTS releases > with security fixes, or (c) we only accept dependencies that have our > same lifetime policy (which are very few and far between). I know this > makes builds unreproducible (although not under the Reproducible Builds > project's definitions), but we really don't have many alternatives. Thanks for a well reasoned argument. Hopefully as Rust matures more, some of these issues (starting with "6 weeks and it is too old to bother") would resolve themselves, but until then we'd need to be careful.
