Comments (2)
AFAIK the reason auth-rs hasn't yet switched to serde_cbor_2
was basically that there was no need.
Indeed, cargo audit
does complain, but Firefox uses cargo vet
and their own vetting system, so they don't run into that problem.
serde_cbor_2
is basically a hard copy without any code changes to the original (and I know the people behind the fork). And rewiring this crate to the new dependency has significant overhead with regards to vendoring the new dependency in the Firefox repo.
So, as the sources are unchanged, the bump to serde_cbor_2
was not yet considered "worth the effort", I think.
auth-rs
's usage of serde_cbor
is pretty stable and has been vetted, so it being unmaintained shouldn't be a huge problem. And if a (security-) bug does arise, switching over to serde_cbor_2
is still an option.
from authenticator-rs.
I am aware of the nature of the fork - I'm the guy who opened the issue that prompted it and participated in the discussion around it. I'm not expecting immediate action, but I would hope it would not be so casually dismissed as "well it's not causing a problem for me, we'll wait for an exploit". If the inconvenience of changing is as significant as you suggest, an exploit is not the time to need to go through all that, given that it has impact on Firefox.
from authenticator-rs.
Related Issues (20)
- Pre-flighting breaks AppID support HOT 1
- Select a reasonable default pin protocol when `pinUvAuthProtocols` is absent from GetInfo response HOT 1
- Access Raw Auth Data HOT 2
- FIDO_2_0 devices with no pin set - experiencing unexpected make credential behavior HOT 7
- Rewrite tests that use mock devices
- Consider only blinking useful tokens from DeviceSelector
- Add AuthenticatorData::to_writer
- Get rid of bitflags
- Avoid clippy randomly breaking the CI HOT 1
- Add a status update to tell the user to connect a device HOT 1
- Inconsistent Serialization/Deserialization Behavior with Empty Extension Data in attestation.rs HOT 1
- Wrongly enforces getAssertion credential (0x01) member presence in the authenticator response, which is optional in FIDO2 HOT 10
- Support Hybrid Transport / caBLE
- USB transport isn't working and always showing passkey as the first option HOT 2
- AppId Extension is broken again for FIDO2 security keys in Firefox 122 HOT 10
- Broken since last April with SoloKeys (v1) HOT 5
- [Bug] Registration fails when device is full and discoverable credentials is only preferred.
- Review use of GetVersion with CTAP1 devices HOT 2
- Tolerate epAtt member in authenticatorMakeCredential response HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authenticator-rs.