Tracking issue for cargo audit fixes

[martin-t]

I went through the dep tree to see what needs updating to get cargo audit to pass, here are my notes so far.

• RUSTSEC-2024-0384 - instant is unmaintained
  • no immediate security issue, the suggested replacement is https://crates.io/crates/web-time
• RUSTSEC-2022-0048 - xml-rs is Unmaintained
  • no immediate security issue, should get resolved eventually: Maintenance of xml-rs netvl/xml-rs#221
• RUSTSEC-2021-0119 - nix 0.18.0 and nix 0.20.0
  • calloop in smithay-client-toolkit already updated
  • smithay-client-toolkit in winit already updated
  • needs a new winit release - Make a new release to address security issues found by cargo audit rust-windowing/winit#2038
    • update: it appears that winit never actually uses the vulnerable function so this should be safe to ignore
  • note that a new release will have 2 different vulnerabilities :(
    • correction: the chrono/time crates are (transitively) only dev-deps of winit so they would fail cargo audit CI for winit but probably not for rg3d
• RUSTSEC-2021-0019 - xcb 0.9.0
  • relevant dep path: xcb 0.9.0 <- x11-clipboard 0.5.2 <- copypasta 0.7.1 <- rg3d-ui 0.14.0
  • xcb's maintenance status: https://github.com/rtbo/rust-xcb/issues/107
  • it appears there's no safe upgrade path - options are
    • replacing xcb in x11-clipboard - x11rb suggested here
    • replacing x11-clipboard in copypasta - Alternative quininer/x11-clipboard#19
    • replacing copypasta in rg3d with something else
• RUSTSEC-2020-0097 - xcb - Soundness issue with base::Error
  • It's a only potential issue in that it allows writing unsound code without unsafe. I briefly checked x11-clipboard and it doesn't appear to be touching the ptr field or constructing xcb errors so we should be safe and this can be ignored for now.
  • Also no safe upgrade path, same tracking issue: https://github.com/rtbo/rust-xcb/issues/107
• RUSTSEC-2020-0056 - stdweb 0.4.20 - unmaintained
  • not a vuln - probably safe to ignore for now
  • would be nice to remove from https://github.com/sebcrozet/instant/blob/master/Cargo.toml
  • update: nothing seems to have changed but it's no longer reported by audit
• RUSTSEC-2020-0016 - net2 0.2.37 - deprecated, should use socket2 instead
  • not a vuln - probably safe to ignore for now
  • dependency of mio which is a dependency of notify
  • update notify in rg3d - use prelease? Release 5.0! notify-rs/notify#249
    • https://docs.rs/crate/notify/4.0.17/source/Cargo.toml uses mio 0.6
    • https://github.com/notify-rs/notify/blob/main/Cargo.toml uses mio 0.7 -> maybe this version is already fixed
    • note that this will require some changes in rg3d-ui code - notify's event hierarchy changed and using a channel is different too

[martin-t]

For anyone wondering why this is closed, it appears cargo audit CI was removed in c44cf70.

I think a better solution would be to add unmaintained crates to the list of ignores. It doesn't happen that often, this is the first time in two years. There's probably also a flag to ignore unmaintained in general. That way severe security issues would still be caught if/when they happen. But i also understand the frustration caused by how rust's community handles maintenance and deprecation in general.

Since i still use audit in crates that depend on fyrox, i might keep updating the issue to makes sense of my ignore list. OTOH my projects are somewhat on hold so i make no promises.