Closed Cashmaney closed 3 years ago
Added in x25519-dalek v1.2.0 but I reserve the right to change/update it between minor versions of x25519-dalek.
Pinning zeroize = "=1.3"
was an invalid resolution to this issue, which was in fact not a problem with x25519-dalek
.
The previously-expressed zeroize = "1"
dependency allowed downstream users to use whatever zeroize
version they needed for their MSRV requirements. All that needed to be done for MSRV compatibility was to not have a zeroize = "1.4"
dependency.
The current zeroize = "=1.3"
pin instead breaks compilation for newer-MSRV users who have zeroize 1.4
elsewhere in their dependency tree (see #89), preventing upgrades to x25519-dalek 1.2.0
.
The correct place to pin zeroize = "<1.4"
for older MSRV support would be in @Cashmaney's Cargo.toml
(or concretely in a Cargo.lock
).
This turned that problem into a new one, for example combining x25519-dalek
with chacha20poly1305
you get:
error: failed to select a version for `zeroize`.
... required by package `chacha20poly1305 v0.10.1`
... which satisfies dependency `chacha20poly1305 = "^0.10.1"` of package `sodot-mpc-infra v0.1.0 (/tmp/cargo-outdatednhNPPE)`
versions that meet the requirements `^1.5` are: 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3
all possible versions conflict with previously selected packages.
previously selected package `zeroize v1.3.0`
... which satisfies dependency `zeroize = "=1.3"` of package `x25519-dalek v1.2.0`
... which satisfies dependency `x25519-dalek = "^1.2.0"` of package `sodot-mpc-infra v0.1.0 (/tmp/cargo-outdatednhNPPE)`
failed to select a version for `zeroize` which could resolve this conflict
@elichai check the release/2.0
branch which unpins it to 1
@rozbb we should really merge release/2.0
into main
so people stop filing issues about this
Hey,
The change to zeroize 1.4.0 here breaks builds for anyone using an older Rust version. Any chance to pin zeroize to 1.3.0 to maintain compatibility?