Closed A6GibKm closed 1 year ago
For other people who hit the same issue, a workaround is to use version 1.1 of this crate.
This has already been done on the release/2.0
branch, I don't think it makes sense to have another PR for the same thing on main
, it seems very unlikely to be merged.
Is there a way we could get this merged in the 1.2.x branch with a new release on crates.io? As pointed out previously, this prevents building x25519-dalek
with other crates that require a more recent version of zeroize
and I guess the problem is only going to get worse over time.
Using the release/2.0
branch as a dep worked for me, but this still needs an update otherwise other crates can't depend on this.
Another breaking release of x25519-dalek
relies on a forthcoming v4.0 release of curve25519-dalek
: https://github.com/dalek-cryptography/curve25519-dalek/issues/405
That said the fix is already on the release branch, so as @jplatte noted earlier this PR is superfluous.
Can this please be backported to 1.2 nevertheless? The restriction is blocking me from updating security related dependencies. It's not only about having to wait for v2.0 being released, since that's semver-breaking I'll also have to wait until all intermediary dependencies using it have updated.
This is a pretty bad situation given that the only downside of the fix I can see is "bumps the MSRV" (correct me if I'm wrong).
Version =1.3 was set so the library builds on older rust versions. But this won't allow to build the library if some other dependency requires a newer version.
See https://gitlab.gnome.org/GNOME/fractal/-/issues/1016#note_1442659