Xuanwo commented on issue #1064: URL: https://github.com/apache/iceberg-rust/issues/1064#issuecomment-2712784549
> Does the crate really need maintain? It's really easy, outputs deterministic results, and has no runtime dependencies. Hi, I fully agree with your statements here. However, the ASF has been seen as [open-source software stewards](https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Article_24.html) (according to the [CRA](https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Articles.html)), so it is our own responsibility to ensure our dependencies are up to date and well-maintained. Otherwise, at some point (though no one has yet), someone may raise a CVE against us, forcing us to take urgent action. We can still defend our position as we've discussed here, but most end users—who may not even know what Rust is—only find us because our project appears in their [SBOM](https://www.ntia.gov/page/software-bill-materials). They will simply see that `paste` is unmaintained and treat it as a security issue. Ultimately, we need to take action. We should either remove `paste` entirely or migrate to another library. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
