Why were all versions prior to 0.14 of this crate yanked?

[sgrif]

On January 10 all versions from 0.9.4 to 0.14.0-alpha4 were yanked, along with the versions of untrusted that they depended on. This has broken the build of any crate which had a dependency on older versions of ring anywhere in their build. For example, crates.io can no longer accept any pull request which makes any changes to our Cargo.toml, as any attempts to do so will resolve several of our dependencies to ancient versions from before they depended on Ring, since the versions used can no longer be resolved.

Was there a reason for yanking all of these versions? Yanking is typically only done if there is a severe bug or security vulnerability found in a version, but I cannot find any security advisory involving Ring. I also can't find a changelog anywhere to see if there was a critical fix listed in 0.14.

Given the severe effects this has on the ecosystem, could you elaborate on why these were yanked?

[sgrif]

Just a note, the reason this affected crates.io is due to our use of an older version of the cookie crate. It looks like even the most recent version of cookie doesn't use 0.14 yet though, so this has effectively broken every Rust web app out there

[briansmith]

There is no way other than yanking them to indicate that they're not supported.

[briansmith]

1. I don't answer questions about old versions of ring unless somebody has a support contract with me.
2. I happily answer questions about the latest version.

[sgrif]

@briansmith Yanking is not intended to indicate that a version is unsupported. It's specifically meant for cases where a version is fundamentally broken (security vuln, syntax error, forgot to include a file, etc).

Having a clear policy for supported versions is more than enough to indicate what is or isn't supported. Using yanking for this purpose does nothing other than break folks builds.

Just to be clear, one of the effects of this is that crates.io (a service which ring directly depends on) is no longer able to update any of our dependencies, and there is currently no way for us to remedy that. Please consider unyanking these versions which do not have a specific version to be yanked.

I don't answer questions about old versions of ring unless somebody has a support contract with me.

I'm certainly not looking for answers to questions about older versions or any sort of support, just that you consider unyanking these versions. I'm also happy to handle it for you if I can get consent to do so.

[briansmith]

I only provide the latest version for free. Whether earlier versions are safe to use is up for you to determine. I only recommend people use the latest version. I'm not going to unyank the previous versions unless/until one of my customers asks me to.

[briansmith]

Keep in mind that a lot of the changes in ring are sourced from BoringSSL and they don't provide any guidance on which versions are safe or not safe to use, or which change fixes a security bug or the exploitability of any bug or anything like that. Even OpenSSL upstream from BoringSSL often understates risks of not taking a bug fix or doesn't even notice that one of their bug fixes addresses an exploitable vulnerability. This is one of the main reasons I only support the latest version of ring.

[sgrif]

I would love nothing more than to be able to ask you as a customer. Unfortunately crates.io is an open source service we provide free of charge, so we don't have the funds for that.

[briansmith]

I would love nothing more than to be able to ask you as a customer. Unfortunately crates.io is an open source service we provide free of charge, so we don't have the funds for that.

Right, and I understand that. My suggestion for people who don't have money is to always use the latest version.

[sgrif]

This is one of the main reasons I only support the latest version of ring.

Again, I am absolutely not asking you to support any older versions. Only that you don't break the builds of folks on those versions.

Right, and I understand that. My suggestion for people who don't have money is to always use the latest version.

These are dependencies of our dependencies, many of which are unmaintained. This isn't something that's in our control, and updating all of them ourselves would be a significant undertaking on an already strained team.

I'm clearly not going to change your mind on this, so I'm going to back away from this conversation. I hope you reconsider using yanking like this in the future, as it's incredibly disruptive to existing applications when you do so. Right now someone looking to create a brand new Rust web app will be unable to do so, which severely hampers the adoption of the Rust language.

[briansmith]

I am planning to yank 0.13.x soon as well.

Keep in mind that I don't even remember what 0.12.x and earlier versions were like. As soon as I release a new version, I completely stop thinking about the old version. Nobody is keeping track of problems with old versions. If I leave the old versions sitting around on crates.io, there might be a problem with them, and then somebody would blame me for not yanking them due to that problem. So, I just assume that old versions are problematic.

Also keep in mind that I'm trying to get this crate to "1.0" and spending time on older versions distracts from that.

[sgrif]

You already yanked 0.13 on the 10th FYI.

…

On Sat, Jan 26, 2019 at 12:59 PM Brian Smith ***@***.***> wrote: I am planning to yank 0.13.x soon as well. Keep in mind that I don't even remember what 0.12.x and earlier versions were like. As soon as I release a new version, I completely stop thinking about the old version. Nobody is keeping track of problems with old versions. If I leave the old versions sitting around on crates.io, there might be a problem with them, and then somebody would blame me for *not* yanking them due to that problem. So, I just assume that old versions are problematic. Also keep in mind that I'm trying to get this crate to "1.0" and spending time on older versions distracts from that. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#774 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABdWKwXv72XsYd-Yigsre9n4EwYR4z1Jks5vHLOngaJpZM4aUVeI> .

[briansmith]

I mean, I will yank the last 0.13.x version, 0.13.5, soon, so only crates with ring = "0.14" or later will work.