Reconsider yanking policy

[pheki]

I've noticed you have yanked all older versions of monocypher-rs, but this is not always considered a good practice in rust.

ring used to do it, but it caused lots of discussions, resulting in rust-lang/crater moving from ring to openssl (rust-lang/crater#394) and ring starting yanking only known-vulnerable versions. See this comment from pietroalbini (member of many rust teams). It's a bit subjective, but my personal opinion is similar, crates should be yanked only when there's a semver compatible release available.

Related discussions:

• https://old.reddit.com/r/rust/comments/ctayew/rust_crypto_developers_please_stop_the_yanking/
• https://old.reddit.com/r/rust/comments/90cpjg/security_advisory_for_smallvec_calling_insert/e2pmxhi/

On an unrelated notes, I'm contributing a little to this crate but I don't wish to give too much maintenance burden, sorry if I am...

[jan-schreib]

Yes, at the time I thought it is a good idea. You are correct though, when releasing a new version I will not continue to yank the old ones.

Thanks for bringing this up!

On an unrelated notes, I'm contributing a little to this crate but I don't wish to give too much maintenance burden, sorry if I am...

Don't worry about it, I'm happy when people are participating in a productiv way.

[pheki]

Well, it's so hard to know what are the current best practices, I think I only know about this because I've been bitten by the transitive yanked ring before ;)