Closed mina86 closed 7 months ago
Ideally I’d love to see a 3.2.2 release with this change but even without that having this commit in upstream repository is beneficial since I can patch to upstream rather than a fork.
This branch, and the 3.x series, is not maintained.
Please update to the latest version.
not everyone has the luxury of migrating to 4.x. 3.x may be pulled in through third party dependency whose update plan is unknown.
It sounds like you have unmaintained dependencies with a cryptographic component. That's bad.
The best solution there is to find a maintained alternative or fork and maintain those dependencies yourself.
It sounds like you have unmaintained dependencies with a cryptographic component. That's bad.
https://crates.io/crates/solana-program/ has regular releases so it is in fact maintained.
The best solution there is to find a maintained alternative or fork and maintain those dependencies yourself.
I mean, no, patching curve25519-dalek is a better solution which what I’m doing right now. I just hoped to improve situation by a) not having to patch or b) patch pointing at an upstream commit.
If it's maintained, I suggest opening a PR to bump the curve25519-dalek
version, or failing that, an issue notifying them they have an out-of-date, unmaintained dependency and need to upgrade
It’s been nearly 4 years since the release of Rust 1.41 so there’s no point in point in keeping such a low MSRV. Issue #362 which was the reason for pinning is over two years old.
From issue #388 we know that:
however, not everyone has the luxury of migrating to 4.x. 3.x may be pulled in through third party dependency whose update plan is unknown.
Meanwhile, pinning zeroize causes build failure as pointed in aforecited issues as well as shown below:
Unpin zeroize crate and update MSRV to 1.60 which is current MSRV of zeroize and a 20 month old Rust release.