2214213 – RUSTSEC-2023-0040: users crate marked as unmaintained

Bug 2214213 - RUSTSEC-2023-0040: users crate marked as unmaintained

Summary: RUSTSEC-2023-0040: users crate marked as unmaintained

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rust-afterburn
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Jonathan Lebon
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2212195
TreeView+	depends on / blocked

Reported:	2023-06-12 09:57 UTC by Fabio Valentini
Modified:	2023-09-21 13:13 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2023-09-21 13:13:17 UTC
Type:	---
Embargoed:
Dependent Products:
Flags:	fedora-admin-xmlrpc: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	coreos afterburn pull 1000	0	None	open	Move away from deprecated `users` to `uzers`	2023-09-12 13:57:30 UTC
Red Hat Issue Tracker	FC-859	0	None	None	None	2023-06-12 09:58:25 UTC

Description Fabio Valentini 2023-06-12 09:57:53 UTC

c.f. https://rustsec.org/advisories/RUSTSEC-2023-0040.html

The last release of the "users" crate was on 2020-10-08. This is also the last day on which code changes happened in the project's git repo on GitHub.

The "sysinfo" crate is listed as a possible alternative.

Reproducible: Always

Comment 1 Fedora Release Engineering 2023-08-16 08:10:41 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Comment 2 Fabio Valentini 2023-09-12 13:26:23 UTC

There appears to be an actively maintained fork now:
https://crates.io/crates/uzers

This should be easier to migrate to than other alternatives.

Comment 3 Jonathan Lebon 2023-09-12 13:57:31 UTC

Got the ball rolling in https://github.com/coreos/afterburn/pull/1000, though CI will probably fail until `uzers` is packaged in Fedora. Were you planning to do that?

Comment 4 Fabio Valentini 2023-09-12 14:08:08 UTC

Thanks!

I was not only planning to do that, I have indeed already done it :)
https://bugzilla.redhat.com/show_bug.cgi?id=2238568

Comment 5 Jonathan Lebon 2023-09-21 13:13:17 UTC

This is fixed upstream and will be in the next release of Afterburn:

https://github.com/coreos/afterburn/issues/999

Note You need to log in before you can comment on or make changes to this bug.