RUSTSEC-2020-0159

[extrawurst]

Projects using simplelog are currently affected by RUSTSEC-2020-0159. There is also current discussion in the chrono repo about fixing the situation there: chronotope/chrono#499.

Still I was wondering how much of the chrono features simplelog actually relies on? chrono is based on time and the later caught up a lot on most of the same features chrono provides. Is it an option to cut out the chrono dependency entirely like many other crates do these days and use time directly?

[Drakulix]

chrono is currently used to get the current date (UTC and Local) as well as custom formatting of the printed time string.
(see https://github.com/Drakulix/simplelog.rs/search?q=chrono)

If that sounds like something that time can also provide, I would accept a PR replacing chrono.
But right now - although I understand that this is rather critical for some people - I just do not have the capacity to do this on my own.

[extrawurst]

the more I investigated this the more I doubt switching to time will help, it currently simply returns Err every time you want to convert between UTC and Loca or just read out the local time zone :(

[Drakulix]

If you open up any issues over at the time-repository, that can be used to track if this behavior is fixed, please link them here (like you did with the chrono issue). This way, I can easily keep monitoring the situation.

[extrawurst]

Just stumbled over this: https://www.reddit.com/r/rust/comments/qs7l6p/psa_the_time_crate_once_again_supports_obtaining

here is a tracking issue: time-rs/time#380

[tuesdaycodes]

@Drakulix per chronotope/chrono#639 chrono seems to be unmaintained and wont be fixed. time-rs/time#380 ref by @extrawurst seems to be merged and time updated quite a bit.

will simplelog be updated soon to remove the insecure and unmaintained chrono crate?

[extrawurst]

it really depends how chrono Is used though. if we do not rely on timezones the time-rs fix does the trick, otherwise the problem is that the time-rs 'fix' will error if you ask for a localtime (piecing this together from memory, but it had limitations)

[tuesdaycodes]

is that with the newest vers of time?

[Drakulix]

Alright, I have replaced chrono with time on this branch: #95

Given that this causes some api breakage and is not entirely feature compatible with what simplelog did provide (unsoundly) with chrono, I will not put out a release right away, but ask everything involved and watching to test and review the new changes.

For convenience this was also published as version 0.12.0-alpha1 on crates.io.
When no new issues or suggestions popup, this will be released as 0.12.0 shortly, but otherwise I will take the time needed to revise the api. Anyone with an immediate need to update my use the alpha version(s?) in the meantime.

Please continue the discussion on #95.
(This issue will be kept open until this is resolved for better visibility, but discussion surrounding the new approach/implementation should be directed to the pull request.)

[Drakulix]

Fixed by #95