You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: MAINTAINERS_GUIDE.md
+3-5Lines changed: 3 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -13,11 +13,9 @@ You can usually make changes directly to the sumbitter's branch. It's a great wa
13
13
If no upstream issue has been filed, ask the reporter to file one first.
14
14
15
15
## Check if there are any fixed versions
16
-
We don't want to carry a non-actionable advisory if a fix is forthcoming. It's alright to delay by a day or two and then publish it once the fix ships.
16
+
We don't want to carry a non-actionable advisory if a fix is forthcoming. It's alright to delay by a day or two and then publish it once the fix ships. If a fix has been applied in git but not released to crates.io, ask the upstream for a new point release.
17
17
18
-
If a fix has been applied in git but not released to crates.io, ask the upstream for a new point release.
19
-
20
-
If the upstream is unresponsive or is not interested in fixing the issue, we can carry the advisory anyway, but this can be a delicate matter. See [here](https://github.com/rustsec/advisory-db/issues/1092) for guidance, and feel free to consult the [Rust Moderation team](https://www.rust-lang.org/governance/teams/moderation) in case of doubt.
18
+
If the upstream is unresponsive or is not interested in fixing the issue, we can carry the advisory anyway, but this can be a delicate matter. See [here](https://github.com/rustsec/advisory-db/issues/1092) for guidance, and feel free to consult the [Rust Moderation team](https://www.rust-lang.org/governance/teams/moderation) in case of doubt. If the upstream project disputes the existence of the issue, and it doesn't have a high severity, `informational = "unsound"` should be used; then `cargo audit` will report it as a warning rather than a hard error.
21
19
22
20
## Make sure the advisory text is clear and actionable
23
21
If you don't understand what's going on, most users won't either. Ask the submitter specific questions to clarify the advisory text, if needed.
@@ -27,7 +25,7 @@ Avoid editing the text directly without clearing it with the submitter first; us
27
25
## Check that the metadata is correct
28
26
The date should be set to the original disclosure of the issue, not the date of the pull request.
29
27
30
-
`informational = "unsound"` is used for [soundness issues](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) that can only be triggered by a programmer (as opposed to e.g. a malicious input), and/or require very contrived code to trigger.
28
+
`informational = "unsound"` is used for [soundness issues](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) that can only be triggered by a programmer (as opposed to e.g. a malicious input), and/or require very contrived code to trigger. They will be surfaced as warnings instead of hard errors by `cargo audit`.
31
29
32
30
`informational = "unmaintained"` has a [policy](https://github.com/rustsec/advisory-db/blob/main/HOWTO_UNMAINTAINED.md) associated with it; make sure it is followed. If any items are missing, advise the submitter how to proceed.
0 commit comments