Add advisory for pkcs11
#1282
Add advisory for pkcs11
#1282
Conversation
|
Also, depending on what happens with mheese/rust-pkcs11#57 I might add the |
|
Did a quick pass. Looks good so far 👍 |
|
Also, notably, the security issues in the crate will become not as significant soon since the incorrect use of transmute_copy will just panic :) Looks good to me though (other than the date, which I noted). I checked and the guideline for an unmaintained advisory is 90 days. So while I think the crate is pretty clearly unmaintained, it might be best to just put this out. Besides, "unmaintained" is a 'weaker' advisory than "wow this will segfault if you touch it wrong". The impact section does seem verbose... Maybe at least split it into 2 paragraphs, 1 being the background knowledge about PKCS11 and its API, the second one being "so what does this mean for me who uses this library?" That or remove the background info entirely and only leave the sentences that are directly relevant to "why should I, as a I feel everything before "The raw pointers can be easily created in Rust, [...]" can either be split out into a new paragraph or removed. |
|
@5225225 an unmaintained crate advisory can be filed separate to this one, and marked This advisory is debatably |
Signed-off-by: Ionut Mihalcea <ionut.mihalcea@arm.com>
|
Alright, shuffled some of the text around and made it shorter, also added |
|
Looks good to me! Definitely cleaner now. |
There was a problem hiding this comment.
LGTM.
@ionut-arm if you want to remove "Draft" I can merge.
Also if someone's interested it would be good to remove pkcs11 from the RCIG's Awesome Rust Cryptography list since it appears it's unmaintained: https://github.com/The-DevX-Initiative/RCIG_Coordination_Repo/blob/main/Awesome_Rust_Cryptography.md
I'll make a PR to do that. |
Done!
Thank you! |
#1280
Feedback is more than welcome, I think the
Impactsection is a bit verbose :[cc @5225225