Skip to content

Use time in stead of chrono in hello world example#136

Closed
Swaagie wants to merge 4 commits intoproxy-wasm:masterfrom
Swaagie:chrono-removal
Closed

Use time in stead of chrono in hello world example#136
Swaagie wants to merge 4 commits intoproxy-wasm:masterfrom
Swaagie:chrono-removal

Conversation

@Swaagie
Copy link
Copy Markdown
Contributor

@Swaagie Swaagie commented Jan 31, 2022
edited
Loading

Rust/audit ✅ by sidestepping reported security vulnerability for which there is no clear resolution.
Regenerated lockfiles

Extracted from: #129

@Swaagie Swaagie requested a review from PiotrSikora as a code owner January 31, 2022 11:10
@Swaagie Swaagie mentioned this pull request Jan 31, 2022
Merged
PiotrSikora
PiotrSikora reviewed Jan 31, 2022
View reviewed changes
@Swaagie
dist: use time in stead of chrono and update lockfile
8719e5a 
Signed-off-by: Martijn Swaagman <martijn@swaagman.online>
@Swaagie
dist: lock on minor semver
b542ea2 
Signed-off-by: Martijn Swaagman <martijn@swaagman.online>
@Swaagie
use get_current_time
67b85d0 
Signed-off-by: Martijn Swaagman <martijn@swaagman.online>
@Swaagie
fix: update bazel build
d956542 
Signed-off-by: Martijn Swaagman <martijn@swaagman.online>
@Swaagie
Copy link
Copy Markdown
Contributor Author

Swaagie commented Feb 27, 2022

Is this good to merge?

jcrugzz
jcrugzz approved these changes Mar 30, 2022
View reviewed changes
Copy link
Copy Markdown

@jcrugzz jcrugzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be cool to get this merged just to clear up the red X on CI. LGTM

PiotrSikora
PiotrSikora requested changes Apr 5, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@PiotrSikora PiotrSikora left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, this change is wrong. The 2 CVEs affecting chrono are:

  • RUSTSEC-2020-0071 - which can be easily fixed by removing oldtime feature from chrono dependency.

  • RUSTSEC-2020-0159 - which doesn't have a clear fix, but it also doesn't affect this project. The CVE is about the unsafe use of localtime_r syscall, which isn't exposed in wasm32-* targets, nor used with DateTime<Utc>. Futhermore, the time crate didn't solve the underlying issue, but they've hidden calls to localtime_r behind a feature flag, so I don't think it's much better, security-wise. Lastly, I believe that chrono is (or was?) more popular in the Rust ecosystem, so I'd prefer to leave it as a more representative example. I agree that we should fix the cargo-audit warning, but that's going to be cleaned up with #140... in the meantime, we can exclude RUSTSEC-2020-0159 using --ignore flag.

@PiotrSikora PiotrSikora mentioned this pull request Apr 5, 2022
Closed
@Swaagie
Copy link
Copy Markdown
Contributor Author

Swaagie commented Apr 6, 2022

Closing in favor of #144

@Swaagie Swaagie closed this Apr 6, 2022
@Swaagie Swaagie deleted the chrono-removal branch April 6, 2022 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PiotrSikora PiotrSikora PiotrSikora requested changes

+1 more reviewer

@jcrugzz jcrugzz jcrugzz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Swaagie @PiotrSikora @jcrugzz