Upgrade time dependency to "0.3"

[notmandatory]

Versions of time crate prior to 0.2.23 fail audit due to RUSTSEC-2020-0071.

Crate: time
Version: 0.1.43
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23

[jhpratt]

I highly recommend you do not rely on time-macros directly. It is designed solely to be re-exported through time and can have otherwise breaking changes at any point. The best thing to do is enable the macros feature on the time crate.

[notmandatory]

@jhpratt thanks for the recommendation, I removed the time-macros dev-dependency and enabled the time "macros" feature.

[Plecra]

Thanks for the PR! I'm still not sure we need the time dependency at all, but this will fit nicely into the overdue bugfixes release.

For those investigating this issue, it appears that the vulnerability doesn't affect zip's usage of time 0.1. It's still a hazard, but only for the conversions made in client code.

Can you please bump the MSRV version to support your clippy annotations, and I'll merge this :)

[jhpratt]

No, zip's current usage is unsound, as time::now is called here. Being a library, there is no guarantee that a user is not calling std::env::set_var at the same time time::now is being called.

[Plecra]

Oh! My mistake, then this needs to be pushed through promptly. Do you know how this should be addressed w.r.t yanking?

[jhpratt]

Personally, I decided to leave the affected time versions up, as it would mean yanking the entirety of 0.1 (I wasn't concerned about the early releases of 0.2). For zip, I don't see it as an issue that needs yanking, as it requires some very uncommon circumstances to occur. That is, of course, my opinion. Do what you feel is best.

[notmandatory]

I bumped MSRV to 1.52.0 which should conform to your MSRV policy of 4 minor releases prior to current stable. Also fixed cargo fmt 😞, sorry for rookie error. Found a cargo doc error too and fixed that.

[djc]

@Plecra can we get this out now? Thanks!

[lex148]

@Plecra. I too would really like to see this PR released as soon as possible. I know your probably busy, but is there anything we can do to help you with this.