tustvold commented on PR #6074: URL: https://github.com/apache/arrow-rs/pull/6074#issuecomment-2258909552
`cargo audit` has functionality to suppress advisories if you aren't impacted by them - https://github.com/rustsec/rustsec/blob/main/cargo-audit/README.md#ignoring-advisories > I also do not believe it is excessively onerous to ask the package maintainers to release a compatible patch for something serious enough to warrant a CVE number. If you are willing to help backport this fix, Andrew has kindly offered to cut a release for you. We're all volunteers here, I would ask you understand that our capacity and time is limited. FWIW a CVE, much like RUSTSEC, is simply an advisory mechanism, in both cases it is expected that downstream projects assess said advisories, determine to what extent they impact them, and act accordingly. In this case a CVE was filed because it was reported via the apache security team, if it had been reported in a different manner it might have been a RUSTSEC advisory instead, there isn't anything special about a CVE that makes it warrant different handling from any other advisory. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
