rfd icon indicating copy to clipboard operation
rfd copied to clipboard
verified publisher icon PolyMeilex

gtk-rs GTK3 bindings - no longer maintained

Open c-git opened this issue 1 year ago • 5 comments

Hi,

Thank you very much for the work done on this crate. cargo-deny brought it to my attention that the gtk-sys crate that this crate depends on is no longer maintained as per their repo. I tried searching to see if there was already an issue here but I couldn't find one. The details of the security advisory follows:

error[unmaintained]: gtk-rs GTK3 bindings - no longer maintained
   ┌─ /home/one/log-viewer/Cargo.lock:37:1
   │
37 │ atk-sys 0.18.2 registry+https://github.com/rust-lang/crates.io-index
   │ -------------------------------------------------------------------- unmaintained advisory detected
   │
   = ID: RUSTSEC-2024-0416
   = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0416
   = The gtk-rs GTK3 bindings are no longer maintained.
     
     The maintainers have archived the repository, and added a note to the crate
     description and its README.md that the crates are no longer maintained.
     
     Please take a look at [gtk4-rs](https://github.com/gtk-rs/gtk4-rs) instead.
     ```
   = Announcement: https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6
   = Solution: No safe upgrade is available!
   = atk-sys v0.18.2
     └── gtk-sys v0.18.2
         └── rfd v0.15.1
             └── log_viewer v0.2.0

c-git avatar Dec 23 '24 19:12 c-git

Oh, finally, a good excuse to remove the GTK backend :smile:

On a more serious note, GTK3 backend is already optional, non-default and unrecommended, so I believe it is fine to depend on gtk-sys for it.

PolyMeilex avatar Dec 23 '24 21:12 PolyMeilex

Ok I understand. I'm sorry to hear that though as that's what I use on Ubuntu. If I'm able to manage the time and can replace it with the new version would you be open to a PR?

c-git avatar Dec 24 '24 00:12 c-git

Including the other advisory numbers here in case anyone is searching for them.

warning[unmaintained]: gtk-rs GTK3 bindings - no longer maintained
    ┌─ /home/log-viewer/Cargo.lock:148:1
    │
148 │ gdk-sys 0.18.2 registry+https://github.com/rust-lang/crates.io-index
    │ -------------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2024-0418
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0418
    = The gtk-rs GTK3 bindings are no longer maintained.
      
      The maintainers have archived the repository, and added a note to the crate
      description and its README.md that the crates are no longer maintained.
      
      Please take a look at [gtk4-rs](https://github.com/gtk-rs/gtk4-rs) instead.
      ```
    = Announcement: https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6
    = Solution: No safe upgrade is available!
    = gdk-sys v0.18.2
      └── gtk-sys v0.18.2
          └── rfd v0.15.1
              └── log_viewer v0.2.0

warning[unmaintained]: gtk-rs GTK3 bindings - no longer maintained
    ┌─ /home/log-viewer/Cargo.lock:165:1
    │
165 │ gtk-sys 0.18.2 registry+https://github.com/rust-lang/crates.io-index
    │ -------------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2024-0420
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0420
    = The gtk-rs GTK3 bindings are no longer maintained.
      
      The maintainers have archived the repository, and added a note to the crate
      description and its README.md that the crates are no longer maintained.
      
      Please take a look at [gtk4-rs](https://github.com/gtk-rs/gtk4-rs) instead.
      ```
    = Announcement: https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6
    = Solution: No safe upgrade is available!
    = gtk-sys v0.18.2
      └── rfd v0.15.1
          └── log_viewer v0.2.0

c-git avatar Dec 24 '24 01:12 c-git

can replace it with the new version would you be open to a PR

This will prevent all projects that are still on GTK3 (like Tauri) from updating RFD, as having GTK3 and 4 in the same binary will cause linking problems. So it would have to be yet another separate backend.

And on top of that the update will not be trivial, the current GTK3 backend is a terrible hack that is attempting to hide away the fact that GTK is a full-blown UI toolkit (that loves to store stuff in random globals, so using it in multithreaded context is nightmare) rather than a file dialog API.

So to answer your question, if the GTK4 backend ends up being as hacky as GTK3 one, then I would just prefer to drop it in favor of proper XDG API. If GTK4 backend in contrast to 3 ends up being a sane solution, then sure we can merge it and live happily ever after.

PolyMeilex avatar Jan 03 '25 00:01 PolyMeilex

Thank you very much for the explanation. I honestly don't know if it's worth it for me. I use egui most of the time and for native applications (compared to WASM) there is a really great project that I like and I might just go with that instead. Or try to see if the XDG backend works for me. I 100% agree that if GTK 4 needs to be a hack it's not worth going down that road. I didn't know how hard the upgrade would be why I was considering it but I have a lot on my plate right now and wasn't even sure how I was going to fit this in when I thought it might be easy.

c-git avatar Jan 03 '25 00:01 c-git