Find a way to migrate off of ring #261
Comments
|
That situation might be resolved with fixes in cargo's dependency resolution. Though updating rfcbot's dependency versions is probably be a good thing anyway... 🙂 |
|
Yeah, I agree that updating rfcbot's dependencies is 100% the right call. I would prefer if we update them now to non-ring deps to sidestep future versioning issues at the same time. |
|
We don't depend on |
|
Yep. I do also think we should be evaluating ways to preclude ring from our builds in those dependency changes. I don't think the author's versioning approach is compatible with our low available bandwidth, especially considering this was discovered in the course of a new contributor sending a PR! New contributors to rfcbot are extremely rare and valuable to the Rust community and I don't want to be in a situation where newcomers might face this uphill battle in the future. |
|
I think rwf2/cookie-rs#113 is the only potential blocker here. |
|
No longer including ring in the dependencies, closing. |
From briansmith/ring#774 it's apparent that ring's author has chosen a very hardline approach to versioning their crate. It's quite possible the "correct" approach from a security perspective. Unfortunately for a project that gets less than an hour of contributor work most weeks it's not tenable to assume we'll have to keep up with an aggressive yanking policy.
Since this currently blocks anyone from contributing, I'll probably try to resolve this soon.
The text was updated successfully, but these errors were encountered: