search

dalek-cryptography / x25519-dalek

X25519 elliptic curve Diffie-Hellman key exchange in pure-Rust, using curve25519-dalek.
BSD 3-Clause "New" or "Revised" License
331 stars 133 forks source link

Non-semver pin on `zeroize =1.3` leads to incompatibility with any crate that requires `zeroize >1.4` #92

Open reivilibre opened 2 years ago

reivilibre commented 2 years ago

Cargo normally lets you install and use two concurrent versions of a crate, but only if they are not semver compatible (https://github.com/rust-lang/cargo/issues/6584). Therefore the current hard requirement on zeroize =1.3 is inconvenient as it prevents using any crates that depend on newer versions of that crate.

Please would it be possible to lift this requirement so that later versions of the zeroize crate can be used? As far as I know semver compatibility means that should be OK — am I missing something (does zeroize not follow semver?).

error: failed to select a version for `zeroize`.
    ... required by package `elliptic-curve v0.12.3`
    ... which satisfies dependency `elliptic-curve = "^0.12"` of package `ecdsa v0.14.8`
    ... which satisfies dependency `ecdsa-core = "^0.14"` of package `p256 v0.11.1`
    ... which satisfies dependency `p256 = "^0.11.1"` of package `webrtc-dtls v0.6.0`
    ... which satisfies dependency `dtls = "^0.6.0"` of package `webrtc v0.5.1`
    ... which satisfies dependency `webrtc = "^0.5.1"` of package `matrix_voip_echo v0.1.0 (/home/rei/repo/utils/matrix_voip_echo)`
versions that meet the requirements `^1.5` are: 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.3.0`
    ... which satisfies dependency `zeroize = "=1.3"` of package `x25519-dalek v1.2.0`
    ... which satisfies dependency `x25519-dalek = "^1.2.0"` of package `vodozemac v0.3.0`
    ... which satisfies dependency `vodozemac = "^0.3.0"` of package `matrix-sdk-crypto v0.6.0`
    ... which satisfies dependency `matrix-sdk-crypto = "^0.6.0"` of package `matrix-sdk-base v0.6.1`
    ... which satisfies dependency `matrix-sdk-base = "^0.6.1"` of package `matrix-sdk v0.6.2`
    ... which satisfies dependency `matrix-sdk = "^0.6.2"` of package `matrix_voip_echo v0.1.0 (/home/rei/repo/utils/matrix_voip_echo)`
tarcieri commented 2 years ago

See upstream issues:

curve25519-dalek needs another release to properly relax this dependency.

See also: #89

Ciantic commented 2 years ago

That upstream issue is now merged? And #89 is closed. Is there other problems?

tarcieri commented 2 years ago

The release/2.0 branch of x25519-dalek needs to be bumped to use curve25519-dalek v4.0 whenever that's release.

curve25519-dalek v3 is still pinned to zeroize < 1.4

paradox-tt commented 1 year ago

I'm also experiencing an issue with this. Looking forward to a resolve.

error: failed to select a version for `zeroize`.
    ... required by package `sp-core v7.0.0`
    ... which satisfies dependency `sp-core = "^7.0.0"` of package `sp-application-crypto v7.0.0`
    ... which satisfies dependency `sp-application-crypto = "^7.0.0"` of package `sp-runtime v7.0.0`
    ... which satisfies dependency `sp-runtime = "^7.0.0"` of package `subxt v0.25.0`
    ... which satisfies dependency `subxt = "^0.25.0"` of package `para_pay v0.1.0 (C:\Users\Will\source\repos\ParaPay)`
versions that meet the requirements `^1.4.3` are: 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3, 1.4.3

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.3.0`
    ... which satisfies dependency `zeroize = "=1.3"` of package `x25519-dalek v1.2.0`
    ... which satisfies dependency `x25519-dalek = "^1.2.0"` of package `vodozemac v0.3.0`
    ... which satisfies dependency `vodozemac = "^0.3.0"` of package `matrix-sdk-crypto v0.6.0`
    ... which satisfies dependency `matrix-sdk-crypto = "^0.6.0"` of package `matrix-sdk-base v0.6.1`
    ... which satisfies dependency `matrix-sdk-base = "^0.6.1"` of package `matrix-sdk v0.6.2`
    ... which satisfies dependency `matrix-sdk = "^0.6.2"` of package `matrix_messenger v0.1.0 (C:\Users\Will\source\repos\MatrixMessenger)`
    ... which satisfies path dependency `matrix_messenger` (locked to 0.1.0) of package `para_pay v0.1.0 (C:\Users\Will\source\repos\ParaPay)`

failed to select a version for `zeroize` which could resolve this conflict
Decodetalkers commented 1 year ago

Waiting for it

tarcieri commented 1 year ago

99 is the tracking ticket to follow development