-
Notifications
You must be signed in to change notification settings - Fork 90
Advisories
Dawid Ciężarkiewicz edited this page Apr 23, 2019
·
4 revisions
crev's package reviews come with a simple advisory system
A package review can optionally include an advisory. That marks this specific version to contain an important fix, that should urge users of previous versions to upgrade.
Example of a package review containing an advisory:
version: -1
date: "2019-04-22T21:53:15.382584127-07:00"
from:
id-type: crev
id: ZLBAs8cpEy-sIP0ORhOzrxcBxVJQx4Ie6I-b5SLkXE4
url: "https://github.com/dpc/crev-proofs-test"
package:
source: "https://crates.io"
name: base64
version: 0.5.2
digest: wMN3VR6EWaI5i7BCYScLsbC1irWcLsEc3TAouoaGoK8
review:
thoroughness: none
understanding: none
rating: positive
advisory:
affected: major
critical: true
comment: "https://github.com/RustSec/advisory-db/blob/master/crates/base64/RUSTSEC-2017-0004.toml"
affected sets the range of versions that might have been affected. major means "all previous releases in the same major cycle"
critical should be set to true when the advisory of particular important (typically: security fix).
Both advisories itself and critical field in particular are left for the authors and community to decide on. Overusing them might lead to people distrusting the author altogether.