-
-
Notifications
You must be signed in to change notification settings - Fork 220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC]: Support EOL #419
base: master
Are you sure you want to change the base?
[RFC]: Support EOL #419
Conversation
Have you considered |
Sure, I have considered that option in the first place, but I'm a little worried about special case handling which will be introduced. At least in tests ruby-advisory-db/spec/advisories_spec.rb Lines 6 to 21 in 75e23ae
bundler-audit in Database class in several places, like here https://github.com/rubysec/bundler-audit/blob/ad5afdadf6b792eca6e4ae872e1bb858fa9cdc2c/lib/bundler/audit/database.rb#L226-L228
And what do you think about .yml file structure? |
If a gem/ruby is EOLed, but it does not have any security issues, why should you stop using it? I don't see why ruby-advisory-db should track EOLs. Seems a little out of scope. |
Actually, would there be interest in creating a separate repo just for EOLs? |
Personally, I consider the use of EOL software to be a security issue,
whether it has an actual security vulnerability or not. It means nobody is
actively maintaining the code, so if an issue is found, it may not ever be
fixed. Much easier to plan a migration away while there isn’t currently a
vulnerability than trying to rush something in the heat of the moment. In
fact, I’ve seen such a requirement to not use EOL software come up in
corporate legal agreements more than a few times.
…On Thu, Oct 24, 2019 at 5:35 PM Postmodern ***@***.***> wrote:
Actually, would there be interest in creating a separate repo just for
EOLs?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#419?email_source=notifications&email_token=AACV767PBFFOLM2EATWAZVTQQI5MDA5CNFSM4JDQTCP2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECG2JIY#issuecomment-546153635>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACV7645LE2KL22DNQQEUPLQQI5MDANCNFSM4JDQTCPQ>
.
|
@reedloden key word there is when a security advisory is published after the EOL. The time between EOL and first advisory is a grey area. I am still in favor of creating another repo database dedicated to EOLs or orphaned gems. |
Gems sometimes go out of and then back into maintenance. I think having one "EOL date" might not capture that easily. Would adding something like |
I noticed this PR was approved, but still think it's out of scope of tracking security advisories. The amount of data to track whether a gem is currently maintained is much less than what is necessary to represent an advisory. Additionally, maybe this could be an attribute which could be added to rubygems.org's database scheme? |
#416
I have included only 2 examples of how it can be implemented.
gems/eol.yml
file format:I see
title
attribute here as always useless, because it will every time be the same, something like"<gem name> is deprecated"
.rubies/eol.yml
file format:Here I see
description
field as useless, as it will always be the same, like"<engine> is deprecated, you should upgrade"
.But for consistency, we can provide
title
anddescription
in both variants.I can think of an alternative implementation:
Where
ruby-sass.yml
has format:And
ruby.yml
has format:Will add missing tests after agreeing on implementation.