Comments (14)
0.7.7 is now published
from ahash.
0.4.8 is also published with a patch.
from ahash.
Yeah backporting the fixes to 0.7 is probably the cleanest way forward. It takes too long for 0.8 to propagate through the indirect dependencies.
from ahash.
I was about to open this issue.
Yanking older versions without making fixed semver-compatible versions available broke a bunch of other crates, preventing cargo update
, CI runs...
Considering how ahash
is clearly described as "not a cryptographically secure hash", maybe it's not so critical to immediately prevent people using this from building, and maybe posting these to https://rustsec.org/ rather than yanking would be the best way to handle the security vulnerabilities.
Alternately, releasing a fixed 0.x.n semver-compatible versions for each yanked 0.x.y would also fix this issue.
from ahash.
I encourage everyone to not judge whether or not it was a good call but rather discuss how best to help this crate move forward.
from ahash.
Please see here for the reason: https://github.com/tkaitchuck/aHash/wiki/Yanked-versions
I can work on publishing a patch to the 0.7 branch. But the interface changed so little there is a 99% chance that just bumping the version should be enough
from ahash.
Ah, I just saw #163. This seems to be on purpose.
from ahash.
Yea i don't know if Yanking the packages was a good call. Now a significant portion of ecosystem is broken. 🤦♂️ This package is 5 levels down one of my dependencies. ouef
from ahash.
from ahash.
I encourage everyone to not judge whether or not it was a good call but rather discuss how best to help this crate move forward.
It is possible to un-yank versions. (And release a rustsec advisory.)
I can work on publishing a patch to the 0.7 branch
As far as I'm concerned I stopped compiling because of a "^0.4.4" requirement at depth 5.
from ahash.
I agree with @CryZe. Given how deeply buried ahash
is in the dependency tree, it would be quite a while before they’re all resolved. If 0.7 could be bumped, that would probably end in the quickest resolution.
A somewhat less quick method but one that could also work well is to backport the fix that caused the yanking in the first place to 0.7.x and release a “hotfix”.
from ahash.
@tkaitchuck much thanks! 🌮 🌮 🌮
from ahash.
@tkaitchuck Thank you so much, what a blast and a fast move. Thanks
from ahash.
Thank you very much, @tkaitchuck!
from ahash.
Related Issues (20)
- feature request: ahash without length prefixing HOT 3
- Deterministic hash value HOT 2
- error[E0635]: unknown feature `stdsimd` HOT 19
- Significant bump in MSRV from 0.8.7 to 0.8.8 HOT 9
- No link to crates.io HOT 1
- RandomState has too many collisions in low order bits when hashing a u64 HOT 29
- Hashing `&T` yields different results compared to `T`
- Fragile build script: crate automatically enables "specialize" feature HOT 14
- ahash 0.8.11 breaks hashbrown? HOT 6
- Work around `swap_bytes` on WebAssembly HOT 1
- git source unaligned with crates.io release HOT 5
- Linking Errors with Specific Optimization Levels When Running Test Cases HOT 1
- rust v1.78 std simd feature removed HOT 1
- `set_random_source` never returns `Err(false)`
- Replace atomic-polyfill with portable-atomic
- Mismatch between published version on crates.io and tagged version in git repo for v0.8.11 HOT 8
- Suggestion: Alternative wrapper HOT 1
- AES not enabled on AArch64
- Hash output is different when using target-cpu=native
- Hashing `&T` yields different results compared to `T` in **nightly** channel
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ahash.