Report slice-deque as unmaintained

[Moxinilian]

A panic safety issue has been pointed out in gnzlbg/slice_deque#90 four months ago, a fix was offered in gnzlbg/slice_deque#91 three months ago but has still not been merged, the crate has last received a new commit two years ago and the maintainer seems inactive.

Tracked at gnzlbg/slice_deque#94

[Shnatsel]

Last activity by the author on Github has been on Feb 21, 2021 and has been very sporadic even prior to that.

The author is the sole maintainer of cargo-asm, which I love dearly.

Could you contact the maintainer directly and ask to add a second maintainer on their projects, or https://github.com/rust-bus if they don't have anyone in mind?

[Moxinilian]

I could not find any way to contact the maintainer beyond the issue I opened on the repo that has been left unanswered for 20 days.

[Shnatsel]

Git commits include an email address, [email protected]. We should email them about slice-deque and cargo-asm, thank for their contributions so far, and ask to appoint a maintainer or add rust-bus.

[ammaraskar]

Just checking in, did either of you end up sending out an email?

[Moxinilian]

Sorry! I forgot about it. If you want to do it you can, otherwise I’ll probably do it later today. React with a thumb up if you’re doing it.

[Moxinilian]

By the way, I sent the mail.

[tarcieri]

Cool, let's wait a little bit to hear back

[Shnatsel]

We should probably write up with a template so that we don't have to compose an email from scratch every single time.

[Moxinilian]

This is a good idea. Here is what I sent:

Hello!

You appear to own a few crates on crates.io that are used a lot by the community. Thank you for your work!

One of them, slice_deque, has a security vulnerability and a PR fixing it open for a couple months now. Are you still maintaining those crates?

If you no longer can, consider giving access to those crates to a second maintainer or the
https://github.com/rust-bus !

Thanks again for the work.

[tarcieri]

@Moxinilian hear anything back yet?

[Moxinilian]

No reply so far!

[LiquidityC]

What are the options if we get no response? Yet another rust dep fork?

[tarcieri]

At this point I think we've waited a sufficiently long time for a reply. I'm going to go ahead and merge this.

@LiquidityC yes, at this point I'd suggest someone create a maintained fork and address the security issues.

[LiquidityC]

I created a maintained fork for slice_deque here: https://github.com/LiquidityC/slice_ring_buffer

I'm not going to be working on it but the security advisory has been patched and I can handle the occasional PR etc. Is there any way to flag this fork as an alternative to the original?

[tarcieri]

You can submit a PR to this advisory adding a link to your maintained alternative:

https://github.com/rustsec/advisory-db/blob/main/crates/slice-deque/RUSTSEC-2020-0158.md