I wonder how many people can break (or repair) my builds by pressing a "yank"/"unyank" button somewhere. I would assume that this number is scaringly big, but I guess that's natural when you have a lot of dependencies. Opposed to publishing new crates, however, yanking/unyanking doesn't get documented anywhere though, right?
I know that, but libraries aren't usually shipped with a Cargo.lock file. And even if cargo build doesn't break, cargo update with a following cargo build does.
My point is that yanking/unyanking probably should be made transparent (i.e. publicly recorded) in some way. It might be used to introduce security relevant bugs/backdoors also.
This is an even more sensitive issue considering that accounts can be hacked. I don't think I even get a private notify myself or record of some kind if one of my crates is yanked/unyanked (by my own account).
That's not enough, as on that page it's (currently) not visible whether a crate has been yanked or unyanked in the past.
An attacker could temporarily yank a bugfix for a certain period and then unyank it again, leaving seemingly no traces (as yanking history isn't shown in the GUI). There might be more situations where yanking/unyanking could be used to craft an attack. For example, by yanking, I could pinpoint anyone using tokio = { version = "1" } to any published 1.x.x version of tokio. Thus if there's just a single version with a flaw in the version history, I could exploit that.
However, I just learned that the yanking/unyanking history is indeed published (not through the GUI though). It's available at https://crates.io/api/v1/crates/clang-sys/1.5.1 for example. So there is a recording of who yanks/unyanks a crate. This diminishes the risk of unnoticed/untracable attacks through yanking/unyanking (i.e. the data for auditing such things is available).