search

dalek-cryptography / curve25519-dalek

A pure-Rust implementation of group operations on Ristretto and Curve25519
Other
853 stars 422 forks source link

Unpin zeroize version and update MSRV #606

Closed mina86 closed 7 months ago

mina86 commented 7 months ago

It’s been nearly 4 years since the release of Rust 1.41 so there’s no point in point in keeping such a low MSRV. Issue #362 which was the reason for pinning is over two years old.

From issue #388 we know that:

This is now resolved in the release/4.0 branch. Next release (or prerelease) will have a laxer zeroize dependency.

however, not everyone has the luxury of migrating to 4.x. 3.x may be pulled in through third party dependency whose update plan is unknown.

Meanwhile, pinning zeroize causes build failure as pointed in aforecited issues as well as shown below:

error: failed to select a version for `zeroize`.
    ... required by package `der v0.7.8`
    ... which satisfies dependency `der = "^0.7"` (locked to 0.7.8) of package `pkcs8 v0.10.2`
    ... which satisfies dependency `pkcs8 = "^0.10"` (locked to 0.10.2) of package `ed25519 v2.2.3`
    ... which satisfies dependency `ed25519 = "^2"` (locked to 2.2.3) of package `tendermint v0.34.0`
    ... which satisfies dependency `tendermint = "^0.34.0"` (locked to 0.34.0) of package `ibc-testkit v0.48.1`
    ... which satisfies dependency `ibc-testkit = "^0.48.1"` (locked to 0.48.1) of package `…`
versions that meet the requirements `^1.5` are: 1.7.0, 1.6.0, 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3

Unpin zeroize crate and update MSRV to 1.60 which is current MSRV of zeroize and a 20 month old Rust release.

mina86 commented 7 months ago

Ideally I’d love to see a 3.2.2 release with this change but even without that having this commit in upstream repository is beneficial since I can patch to upstream rather than a fork.

tarcieri commented 7 months ago

This branch, and the 3.x series, is not maintained.

Please update to the latest version.

tarcieri commented 7 months ago

not everyone has the luxury of migrating to 4.x. 3.x may be pulled in through third party dependency whose update plan is unknown.

It sounds like you have unmaintained dependencies with a cryptographic component. That's bad.

The best solution there is to find a maintained alternative or fork and maintain those dependencies yourself.

mina86 commented 7 months ago

It sounds like you have unmaintained dependencies with a cryptographic component. That's bad.

https://crates.io/crates/solana-program/ has regular releases so it is in fact maintained.

The best solution there is to find a maintained alternative or fork and maintain those dependencies yourself.

I mean, no, patching curve25519-dalek is a better solution which what I’m doing right now. I just hoped to improve situation by a) not having to patch or b) patch pointing at an upstream commit.

tarcieri commented 7 months ago

If it's maintained, I suggest opening a PR to bump the curve25519-dalek version, or failing that, an issue notifying them they have an out-of-date, unmaintained dependency and need to upgrade