Merge pull request #39 from hi-rustin/rustin-patch-yank-message

Add "Yank crates with a reason" goal
rust-lang · Jul 8, 2024 · 68245db · 68245db
2 parents 05dbdba + 786f9b5
commit 68245db
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 1 deletion.
diff --git a/src/2024h2/yank-crates-with-a-reason.md b/src/2024h2/yank-crates-with-a-reason.md
@@ -0,0 +1,72 @@
+# Yank crates with a reason
+
+| Metadata |                      |
+| -------- | -------------------- |
+| Owner(s) | [hi-rustin]          |
+| Teams    | [crates.io], [Cargo] |
+| Status   | WIP                  |
+
+[hi-rustin]: https://github.com/hi-rustin
+[Cargo]: https://www.rust-lang.org/governance/teams/dev-tools#team-cargo
+[crates.io]: https://www.rust-lang.org/governance/teams/dev-tools#team-crates-io
+
+## Summary
+
+Over the next 6 months, we will first implement a feature in crates.io that asks for a reason when an administrator yanks a crate. After this feature has been up and running for a while, we'll open it up to Cargo to support filling in the reason for yanking, making it an optional parameter of the registry yank API.
+
+## Motivation
+
+When a crate is updated to address a critical issue—such as a fix for a soundness bug or a security vulnerability—it is beneficial to yank previous versions and prompt users to upgrade with a yank reason. Additionally, if a crate is renamed or deprecated, the yank message can provide guidance on the new recommended crate or version. This ensures that users are aware of necessary updates and can maintain the security and stability of their projects.
+
+### The status quo
+
+We came up with [this need](https://github.com/rust-lang/cargo/issues/2608) eight years ago, but it was never implemented.
+
+This feature has the following potential use cases:
+
+1. When a crate is fixed because it will be broken in the next version of the compiler (e.g. a soundness fix or bug fix) then the previous versions can be yanked and nudge users forward.
+2. If a crate is fixed for a security reason, the old versions can be yanked and the new version can be suggested.
+3. If a crate is renamed (or perhaps deprecated) to another then the yank message can indicate what to do in that situation.
+
+Additionally, if we can persist this information to the crates.io index, we can make it available as meta-information to other platforms, such as security platforms like RustSec.
+
+
+### The next 6 months
+
+* Implementing basic prototypes in crates.io
+* Trial run at crates.io for a while
+* Support for yank messages on the Cargo command line(unstable)
+* Stabilize this parameter and use it as a standard parameter for the registry [yank API]
+
+[yank API]: https://doc.rust-lang.org/cargo/reference/registry-web-api.html#yank
+
+## Design axioms
+
+When considering this feature, we need to balance our desire for a perfect, structured yank message with a usable, easy-to-use yank message. We need to start with this feature and leave room for future extensions, but we shouldn't introduce complexity and support for all requirements from the start.
+
+## Ownership and other resources
+
+**Owner:**
+
+* [hi-rustin]: wearing my crates.io team member's hat
+* [hi-rustin]: wearing my Cargo regular contributor's hat
+
+| Subgoal                                                     | Owner(s) or team(s)            | Status |
+| ----------------------------------------------------------- | ------------------------------ | ------ |
+| Yank crates with a reason                                   |                                |        |
+| ↳ Implementation in crates.io side(only for administrators) | [hi-rustin]                    |        |
+| ↳ Try it out in crates.io                                   | ![Team][] [crates.io]          |        |
+| ↳ Author RFC                                                | [hi-rustin]                    |        |
+| ↳ Approve RFC                                               | ![Team][] [Cargo], [crates.io] |        |
+| ↳ Implementation in Cargo side                              | [hi-rustin]                    |        |
+| ↳ Inside Rust blog post inviting feedback                   | [hi-rustin]                    |        |
+| ↳ Stabilization decision                                    | ![Team][] [Cargo]              |        |
+
+[TBD]: https://img.shields.io/badge/TBD-red
+[Team]: https://img.shields.io/badge/Team%20ask-red
+
+## Frequently asked questions
+
+### What might we do next?
+
+We could start with plain text messages, but in the future we could consider designing it as structured data. This way, in addition to displaying it to Cargo users, we can also make it available to more crates-related platforms for data integration and use.
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -14,7 +14,7 @@
         - [Seamless C support](./2024h2/Seamless-C-Support.md)
         - [Contracts and invariants](./2024h2/Contracts-and-invariants.md)
         - [Next-generation trait solver](./2024h2/next-solver.md)
-        - [a-mir-formality](./2024h2/a-mir-formality.md)        
+        - [a-mir-formality](./2024h2/a-mir-formality.md)
         - [Project goal slate](./2024h2/Project-goal-slate.md)
         - [Rust 2024 Edition](./2024h2/Rust-2024-Edition.md)
         - [Relaxing the orphan rule](./2024h2/Relaxing-the-Orphan-Rule.md)
@@ -25,6 +25,7 @@
         - ["Stabilizable" prototype for expanded const generics](./2024h2/min_generic_const_arguments.md)
         - [Const traits](./2024h2/const-traits.md)
         - [Extend pubgrub to match cargo's dependency resolution](./2024h2/pubgrub-in-cargo.md)
+        - [Yank crates with a reason](./2024h2/yank-crates-with-a-reason.md)
     - [General notes](./2024h2/notes.md)
 - [📖 Learn about](./about/index.md)
     - [Goal motivations](./about/motivation.md)