c.f. https://rustsec.org/advisories/RUSTSEC-2024-0384.html
To be fair, backoff appears to be unmaintained too: - There have been no commits to https://github.com/ihrwein/backoff since the last release almost three years ago. - There’s an open issue https://github.com/ihrwein/backoff/issues/66 about backoff being unmaintained. - The author has *no activity at all* on GitHub since 2021.
What we can do? Does "uv" is the only package that depends on rust-backoff?
It looks like gotify-desktop and uv both use rust-backoff. It’s possible that backoff could be patched to use web-time, or just std::time if any wasm-related features are going to be disabled. I’m not sure such intrusive patching is justified, though. It’s interesting that the Rust community seems to be treating unmaintained dependencies as being inherently a security issue – I can see the perspective, but I’m also accustomed to the idea that there’s nothing inherently wrong with unmaintained code unless it’s something exceptionally high-risk like a HTTP parser. For uv in particular, the backoff crate is only used in a set of file-renaming routines, where it’s used to work around antivirus programs holding file locks on Windows: https://github.com/astral-sh/uv/blob/37b11ddb227f5f0649f49697ec9b86c8aa468597/crates/uv-fs/src/lib.rs#L219-L370 I opened an upstream issue, https://github.com/astral-sh/uv/issues/10001, along with a PR that would allow uv to compile without backoff on non-Windows platforms, https://github.com/astral-sh/uv/pull/10002.
> It’s interesting that the Rust community seems to be treating unmaintained dependencies as being inherently a security issue Not necessarily, they are just being tracked in the same database.
Since https://bodhi.fedoraproject.org/updates/FEDORA-2024-39e169f8b3, uv no longer requires rust-backoff in Rawhide. That will filter down to stable releases sometime in the next few weeks.