advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

Report `sevenz-rust` and `lzma-rust` as unmaintained

Open FelixEngl opened this issue 1 year ago • 6 comments

Hello everyone,

The owner (dyz1990) of the two crates sevenz-rust and lzma-rust has deleted their GitHub account and the associated GitHub repositories. There is no way to contact the author or open a GitHub issue according to the unmaintained policy, so the url field is not included in the advisory.

Regarding the "implicitly unmaintained" rationale: The last release was 2 months ago, but as described in the previous paragraph: The author has deleted their GitHub account and therefore abandoned the crates, and neither "stale repository" nor "90 days unresponsive" can be applied.

Best regards Felix

FelixEngl avatar Sep 23 '24 08:09 FelixEngl

@FelixEngl Did you confirm that dyz1990's GitHub account was really deleted? If their account has been flagged, other users cannot access to the account and the associated repositories. So I think you should ask him about them first. According to the forked lzma-rust's log, their email address may be [email protected].

sorairolake avatar Sep 27 '24 07:09 sorairolake

Hi @sorairolake, no I didn't even know that this was a thing. I'll try to contact them this week when I find the time for it.

FelixEngl avatar Sep 28 '24 16:09 FelixEngl

I can't find information on how a suspended account looks to other users (github definitely displays an account-suspended message to the account owner).

There's no redirect to a new name. Commits are still associated with the username, but GitHub doesn't turn the username into a link.

I think regardless of whether it's deleted or suspended (without resolution for months, which may be permanent), the sole crate owner has no ability to make releases.

kornelski avatar Dec 04 '24 13:12 kornelski

Hi! I also tried to contact the original author to take over the maintenance of the original crates but couldn't reach them. Since we needed a maintained version of those crates for our project , I decided to use the last git version I could find of the original repo (0.6.0), backport the changes from 0.6.1 and then continued the development / maintenance of the crate. They can be found under the crate names "sevenz-rust2" and "lzma-rust2".

hasenbanck avatar Feb 26 '25 10:02 hasenbanck

The situation with this crate has not changed

loganmc10 avatar Apr 05 '25 07:04 loganmc10

Per #2032, I think we're not quite at the point where we're ready to merge this, feel free to ping again in 3-6 months.

djc avatar Apr 05 '25 08:04 djc