Add unmaintained notice for magic and magic-sys

[mellowagain]

• The authors GitHub page @robo9k states that all their repositories are provided-as is and no maintenance is intended.
• The author is unresponsive on GitHub issues
• Both crates didn't have any new commits since November 2021

It may also be worth a shot to add the unmaintainced notice to the authors' other crates: https://crates.io/users/robo9k

[robo9k]

Hej hej,

a couple remarks from myself:

The authors GitHub page @robo9k states that all their repositories are provided-as is and no maintenance is intended.

This is correct, I do not intend to actively maintain my GitHub repositories unless noted otherwise. However, both the magic crate as well as the magic-sys crate are somewhat passively-maintained. Note that this is no absolute guarantee, but such a thing doesn't exist in general anyways.

The author is unresponsive on GitHub issues

How so? Both the currently open robo9k/rust-magic issues and robo9k/rust-magic-sys issues are labeled "enhancement" and have been created by me, there are no open pull requests.
While I'm aware that the magic crate is not feature complete with the magic-sys crate which in turn might be missing things from the libmagic C library it uses, there are no open user requests for those features either.
Due to FFI usage there has to be unsafe code in the magic crate. No soundness nor security issues are reported/unfixed. If anything I'd expect security issues in the libmagic C library, which is linked against, not bundled in magic-sys (except for package.metadata.vcpkg.rev via vcpkg).

I've considered adding the Rust Bus as additional owners of both crates, but so far believe the crates are still maintained "enough" by myself.

Both crates didn't have any new commits since November 2021

This is correct. As noted above, the crates are not feature complete, but there has not been demand either.
I could publish the latest alpha versions as stable versions, but then again there has been no user feedback nor demand.
I believe this is what the "passively-maintained" badge is intended for and for "maintainer intends to respond to issues that get filed" see absolute guarantee and bus factor.

It may also be worth a shot to add the unmaintainced notice to the authors' other crates

Feel free to do so. I've tried to have a maintenance badge on each crate, but especially older ones haven't been published as a new version just to add that metadata so you can consider them "experimental" or unmaintained.

All in all it's left up to you to decide adding that info to the advisory-db.

[tarcieri]

Sounds to me like magic and magic-sys don’t qualify as unmaintained crates per our (somewhat informal) policy

[Shnatsel]

Thank you @mellowagain for the report, and @robo9k for chiming in!

We usually only carry unmaintained notices if the author is completely unresponsive, and unable to hand over the crates.io crate name. This is clearly not the case here, so I am going to go ahead and close this pull request.

The current policy for what is considered unmaintained is somewhat poorly documented; that is an issue we should address on the advisory-db side.

[mellowagain]

Thank you @robo9k for replying.

This is correct, I do not intend to actively maintain my GitHub repositories unless noted otherwise. However, both the magic crate as well as the magic-sys crate are somewhat passively-maintained. Note that this is no absolute guarantee, but such a thing doesn't exist in general anyways.

That is nice to hear as this is one of the crates I'd like to depend upon in my project. Thank you.

How so? Both the currently open robo9k/rust-magic issues and robo9k/rust-magic-sys issues are labeled "enhancement" and have been created by me, there are no open pull requests. While I'm aware that the magic crate is not feature complete with the magic-sys crate which in turn might be missing things from the libmagic C library it uses, there are no open user requests for those features either. Due to FFI usage there has to be unsafe code in the magic crate. No soundness nor security issues are reported/unfixed. If anything I'd expect security issues in the libmagic C library, which is linked against, not bundled in magic-sys (except for package.metadata.vcpkg.rev via vcpkg).

I've considered adding the Rust Bus as additional owners of both crates, but so far believe the crates are still maintained "enough" by myself.

This discussion on your rust-magic-sys issue tracker prompted me to do this, as the author of that issue has been trying to contact you from October 2020 until December 2020 but has as of now not yet received any reply from your side and thus decided to abandon their contribution (which I'd love to have included in magic-sys - I may try my own shot at this)

This is correct. As noted above, the crates are not feature complete, but there has not been demand either. I could publish the latest alpha versions as stable versions, but then again there has been no user feedback nor demand. I believe this is what the "passively-maintained" badge is intended for and for "maintainer intends to respond to issues that get filed" see absolute guarantee and bus factor.

I understand. Thank you for clarifying.

Feel free to do so. I've tried to have a maintenance badge on each crate, but especially older ones haven't been published as a new version just to add that metadata so you can consider them "experimental" or unmaintained.

Considering you're responsive, I will not do so as it does not fit with the policy (as far as I can see, considering it is informal)

---

I'd like to apologize to @robo9k for opening this pull request. I acted within the belief that these two crates were in fact unmaintained and your README.md on your GitHub profile seemingly confirmed my suspicion. I should've tried reaching out beforehand but I didn't. This was a mistake from my part. I sincerely hope you are not hurt by my assumption that your hard work is unmaintained and not appreciated.

[robo9k]

@mellowagain if you want to discuss this further, I believe an issue in the respective repo would be more appropriate than this closed pull request here.
Nonetheless I'll try to respond to your points below:

This discussion on your rust-magic-sys issue tracker prompted me to do this, as the author of that issue has been trying to contact you from October 2020 until December 2020 but has as of now not yet received any reply from your side and thus decided to abandon their contribution (which I'd love to have included in magic-sys - I may try my own shot at this)

Nitpick, but the author of this "contributions welcomed" meta-ish issue is me. IIRC not all the issues from my comment had been adressed, but I didn't invest the time to investigate and follow up further back then. This is unfortunate and the lack of communication was unfair towards this contributor, but good intention from my side but lack of time is exactly what can happen in such hobby projects and thus the maintenance badge and my remark about absolute guarantee.
Also note that as a bit of a tantrum the contributor withdrew their changes, so I could not use them anymore now or whenever I have the time.

I'd like to apologize to @robo9k for opening this pull request. I acted within the belief that these two crates were in fact unmaintained and your README.md on your GitHub profile seemingly confirmed my suspicion. I should've tried reaching out beforehand but I didn't. This was a mistake from my part. I sincerely hope you are not hurt by my assumption that your hard work is unmaintained and not appreciated.

No worries and there's no need to apologize :)
I've tried to clarify the general "no maintenance intended" definition my GitHub profile in a new commit I just added.
Maybe I should add a badge like to the crate READMEs now that crates.io doesn't render them anymore, but no promises here either.