There should be a way to indicate how long a crate has been unmaintained

[briansmith]

Most of the "$crate has been unmaintained" advisories are for crates that have sat around for a while without any clear indication of maintenance and then after months somebody gets around to asking the maintainer if they've stopped maintaining the thing.

But in some circumstances perhaps there isn't a long period of lack of maintenance, but where the maintainer feels a responsibility to help people understand that some period of inactivity is to be expected. And, maybe indefinitely so. Right now there is not a good way for the maintainer to broadcast this in a timely and effective way without tripping people's CI "supply chain integrity" jobs.

Probably there should be a way to configure "supply chain integrity" tools so that, if a crate has been "unmaintained" for less than X days, then CI shouldn't break. After all, somebody might pick up maintenance of it again quickly. But, apparently it is unclear from reading the metadata how a tool would calculate the approximation of the value of X; there need to be at least two dates to subtract from each other, but there's only one.

I realize this is a tricky issue and I'm not really planning to participate in designing a solution. However, this came up in discussions with some open source maintainers about why it difficult for them to send in an "unmaintained" advisory for their projects; they don't want to break people's CIs. And I think for important non-technical reasons it is something worth addressing.

[tarcieri]

We generally try to track that one the date of the advisory, which usually points to an issue when the original inquiries as to the maintenance status were made.

It isn't a formal field though (FWIW we changed withdrawn to be a date for that reason)