Rust RFC Proposes a Security Tab on crates.io for RustSec Advisories

Crates.io is considering adding a Security tab to its crate pages, aimed at enhancing the visibility of known vulnerabilities and unsound API advisories sourced from the RustSec advisory database. This initiative, proposed by open-source contributor Dirkjan Ochtman, is in its final review stage and seeks to integrate security context into the crate discovery process, thereby aiding developers in evaluating dependencies more effectively. The proposal focuses on unintentional vulnerabilities rather than actively malicious crates and aims to avoid creating simplistic quality scores based on the presence of advisories. Concerns have been raised about the implications of displaying third-party advisory data on crates.io, especially regarding maintainers' expectations and user perceptions of "unmaintained" advisories. RustSec's current practice is to collaborate with crate authors on advisories, though challenges persist with unresponsive authors and abandoned crates. If accepted, the proposal will necessitate detailed implementation decisions, including how to present security information without adversely affecting a crate's reputation.