paste - no longer maintained

[JackThomson2]

paste is marked as no longer maintained: https://rustsec.org/advisories/RUSTSEC-2024-0436 When running cargo-audit this now flags as a warning.

Can we look to move to an alternative to this crate?

[daniel5151]

Ah, that's right. I recall stumbling across that news while skimming through /r/rust the other day...

I must admit - the first thought I had when I saw this issue pop-up this morning was to link to https://lucumr.pocoo.org/2024/3/26/rust-cdo/. paste is a lovely little crate that does one thing, does it well, and hasn't really needed any updates over the years. IMO, the fact that its unmaintained is not particularly interesting, given that the crate is effectively "done" at this point.

That said - I'm well aware of the role RustSec (and its associated tooling) plays in a many projects, so I'm not opposed to exploring ways to keep gdbstub an "easy" dependency to add to any kind of project, big or small.

IMO, there are 3 approaches here:

1. cargo vendor the paste code into gdbstub
2. Explore reputable alternatives to paste that are expected to be maintained in the long-term
3. Remove the dependency on paste altogether, and just hand-maintain the code in https://github.com/daniel5151/gdbstub/blob/master/src/protocol/commands.rs

My personal preference would be to go with the 3rd option, as that aligns a bit more closely with my approach to writing Rust code nowadays. I suspect it'll be pretty easy to pull off as well, assuming you're using rust-analyzer's Expand Macro functionality.

That said - if you can point me to a reputable fork of paste, that is being maintained by a known-good maintainer (i.e: with a proven track-record of open-source stewardship under their belt), we can explore the 2nd option as well.

I'd like to avoid cargo vendor if possible, purely on aesthetic grounds.