cortex-m VS advisory-db

I do not have as strong of feelings as your parent, but:

1. A lot of the APIs make use of the typestate pattern, which is nice, but also very verbose, and might turn many people off.

2. The generated API documentation for the lower level crates relies on you knowing the feel for how it generates the various APIs. It can take some time to get used to, especially if you're used to the better documentation of the broader ecosystem.

3. A bunch of the ecosystem crates assume the "I am running one program in ring0" kind of thing, and not "I have an RTOS" sort of case. See the discussion in https://github.com/rust-embedded/cortex-m/issues/233 for example.

For cortex-m support, check out the cortex-m crate

See https://github.com/rust-embedded/cortex-m/tree/master/panic-semihosting

I don't think so. Once a function is compiled, it basically becomes a black box with a type signature so unless sleeping in a function affects its signature, that information is erased. If you pass in some kind of a sleep token that has to be used to sleep, then yeah I think you could enforce it by only being able to get that token in a non-atomic context and making it leak proof.

The Cortex-M crate does something similar, but for proving that you are in an atomic context. Another function that expects a CriticalSection type is then assured that it's running without interrupts enabled.

https://github.com/rust-embedded/cortex-m/blob/master/src/in...

You might also want to add this to https://github.com/rustsec/advisory-db so that cargo audit and Dependabot surface it.

The behavior of not extracting outside the specified directory has been the default since forever in Rust's tar. And then it had two RUSTSEC advisories for not handling this correctly in certain corner cases. The latest one in 2021.

cargo-audit only checks for known issues reported to a vulnerability database.

However, I keep getting this error when running cargo audit bin ~/.cargo/bin/*, even if I replace * with a specific binary: Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 467 security advisories (from C:\Users\jonah\.cargo\advisory-db) Updating crates.io index error: I/O operation failed: The system cannot find the path specified. (os error 3) I'm on Windows 10.

I usually open an issue asking if the crate is still maintained. If there isn't a response for a decent amount of time (like multiple months) and the crate is somewhat popular then it could be worth opening an unmaintained advisory in the advisory-db

Here is the visualization of RustSec Advisory Database. I hope it will be helpful. If you need any more charts, feel free to comment.

FWIW the RustSec database is still not synced into the Github databse on a regular basis, even though they did an initial import of it. So the cargo audit github action is still relevant.