Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add unmaintained advisory for safemem #1615

Merged
merged 3 commits into from
Feb 22, 2024
Merged

Add unmaintained advisory for safemem #1615

merged 3 commits into from
Feb 22, 2024

Conversation

oherrala
Copy link
Contributor

@oherrala oherrala commented Feb 20, 2023
edited
Loading

safemem is crate by @abonander who has archived bunch of his Rust crates in GitHub.

See communication attempts on other crates:

@oherrala oherrala mentioned this pull request Feb 20, 2023
Closed
pinkforest
pinkforest suggested changes Apr 6, 2023
View reviewed changes
Copy link
Contributor

@pinkforest pinkforest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please can we use formatting / fill the necessary detail accordingly per this example:
https://github.com/rustsec/advisory-db/blob/main/crates/buf_redux/RUSTSEC-2023-0028.md

@pinkforest pinkforest added Unmaintained Informational / Unmaintained Waiting-Author Waiting on Author labels Apr 6, 2023
@pinkforest
Copy link
Contributor

pinkforest commented Apr 6, 2023
edited
Loading

@dignifiedquire I understand both buffer-redux and buf-redux relies on this

I wonder if buffer-redux could possibly adopt a fork of this as well .. or drop / switch it by any chance ?

This is because if we would merge this anyone using buffer-redux would get a warning via that about safemem and would like to clarify this first to reduce impact / provide more actionable advice if possible / feasible.

The crate has had some minimal attention like 2019 with basic miri but it's safety related documentation is kinda thin and it uses panics as it's error handling - not drawing any concrete conclusions either way but anyways worth asking 🤷‍♀️

@pinkforest pinkforest added Feedback Needs more feedback and removed Waiting-Author Waiting on Author labels Apr 6, 2023
@dignifiedquire
Copy link

I wonder if buffer-redux could possibly adopt a fork of this as well .. or drop / switch it by any chance ?

Probably makes sense to either inline or replace.

@oherrala
Copy link
Contributor Author

The safemem GitHub repository has been archived: https://github.com/abonander/safemem

This repository has been archived by the owner on Feb 14, 2023. It is now read-only.

@Shnatsel
Copy link
Member

Thanks for the heads-up!

I've changed the advisory to only include very obviously correct and uncontroversial statements. I'm going to go ahead and merge this now that we have a clear signal from the maintainer in the form of an archived repo.

@Shnatsel Shnatsel merged commit dfccc24 into rustsec:main Feb 22, 2024
1 check passed
@Skgland
Copy link
Contributor

Skgland commented Mar 4, 2024
edited
Loading

The safemem crate only has three functions, two of which have standard library alternatives by now and one can be workedaround relatively easily. Would it make sense to include some migration instructions in the form of:

Migration

  • safemem::copy_over(slice, src_idx, dest_idx, len); can be replaced with slice.copy_within(src_idx..src_idx+len, dest_idx); as of rust 1.37.0.
  • safemem::write_bytes(slice, byte); can be replaced with slice.fill(byte); as of rust 1.50.0
  • safemem::prepend(slice, vec); can be replaced with 
    let old_len = vec.len();
vec.extend_from_slice(slice);
vec.rotate_left(old_len);
    as of rust 1.26.0

@amousset
Copy link
Member

amousset commented Mar 4, 2024

Sure 👍, feel free to open a PR.

@Skgland Skgland mentioned this pull request Mar 4, 2024
Merged
amousset pushed a commit that referenced this pull request Mar 4, 2024
@Skgland
add migration instructions for safemem (#1909)
c4a34bd 
- as suggested in <#1615 (comment)>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pinkforest pinkforest pinkforest requested changes

Assignees
No one assigned
Labels
Feedback Needs more feedback Unmaintained Informational / Unmaintained
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@oherrala @pinkforest @dignifiedquire @Shnatsel @Skgland @amousset