Following the README source install directions, cargo install --git https://github.com/boxdot/gurk-rs gurk fails to find a sufficient version for curve25519-dalek.
The unpinned curve25519-dalek URL results in cargo finding the current head version, 3.2.1, which fails the 2.0 series requirement. Builds that use the lockfile have a the commit pined from the initial resolution when presage was first added and still function.
Since the problematic dependency specification exists within the signal repositories, if a resolving dependency chain cannot be made consider updating the README.md to add the --frozen flag to the suggested cargo install invocation for source installs to use the locked resolution.
Bckempa
commented
1 year ago
Following the README source install directions,
cargo install --git https://github.com/boxdot/gurk-rs gurkfails to find a sufficient version forcurve25519-dalek.The dependency chain causing the issue is: gurk v0.2.5-dev (https://github.com/boxdot/gurk-rs/tree/4b9c454b7dad1ea7f402aacc4a721ae286528da2) presage v0.2.0 (https://github.com/boxdot/presage.git?rev=f908e8f#f908e8ff) libsignal-service v0.1.0 (https://github.com/boxdot/libsignal-service-rs?rev=8be91da2#8be91da2) zkgroup v0.7.3 (https://github.com/signalapp/zkgroup?tag=v0.7.3#197c382e) curve25519-dalek ^2.0.0 (https://github.com/signalapp/curve25519-dalek.git?branch=lizard2)
The unpinned
curve25519-dalekURL results in cargo finding the current head version, 3.2.1, which fails the 2.0 series requirement. Builds that use the lockfile have a the commit pined from the initial resolution when presage was first added and still function.Since the problematic dependency specification exists within the signal repositories, if a resolving dependency chain cannot be made consider updating the
README.mdto add the--frozenflag to the suggestedcargo installinvocation for source installs to use the locked resolution.