search

etesync / etebase-rs

A Rust client library for Etebase
https://www.etebase.com
BSD 3-Clause "New" or "Revised" License
116 stars 11 forks source link

depends on deprecated library sodiumoxide #24

Open jonassmedegaard opened 2 years ago

jonassmedegaard commented 2 years ago

The sodiumoxide project is now deprecated: https://github.com/sodiumoxide/sodiumoxide/commit/5bb1dfd

tasn commented 2 years ago

I think it's not deprecated in terms of DO NOT USE, but rather: it's now feature complete, no?

jonassmedegaard commented 2 years ago

Right, that is my understanding as well.

I am no crypto expert, but seem to read between the lines, however, that what the author describes as having "vastly changed" includes maturity of implementations in native Rust, which I would expect to have both size, speed, and stability improvements.

Seems the Dalek libraries (and crates based on those) are the most popular in the Rust community nowadays.

tasn commented 2 years ago

The problem is that we can't only care about quality, but we also need to care about compatibility with the algorithms we use (libsodium ones).

Dalek looks great though! I wonder if there's a sodium compatibility layer!

jonassmedegaard commented 2 years ago

Perhaps this: https://crates.io/crates/crypto_box

tasn commented 2 years ago

Main questions are:

  1. is it worth it?
  2. Compatibility.
Xiretza commented 2 years ago

sodiumoxide is now completely archived and will thus no longer receive security fixes; it should be replaced.

tasn commented 2 years ago

:|

OK, I'll try to find some time to take a look, thanks!

barathrm commented 1 year ago

I'm looking into finally upstreaming libetebase into openSUSE, and just discovered this one again during the automated cargo audit that's run.

Friendly bump :hugs:

tasn commented 1 year ago

There's nothing wrong with sodiumoxide I believe, it's just "no longer developed". I don't know what it actually means in terms of security, but given that it's just a thin wrapper around libsodium, I'm not that concerned. It's going to be quite a bit of work changing to a new implementation, which I don't have time for unfortunately. Especially given the questionable benefits.

mainrs commented 1 year ago

sodiumoxide is now completely archived and will thus no longer receive security fixes; it should be replaced.

This does not seem to be the case:

https://github.com/sodiumoxide/sodiumoxide/blob/3057acb1a030ad86ed8892a223d64036ab5e8523/README.md?plain=1#L3-L5

This seems to mean that new API surface in libsodium will not be implemented in the crate. But security fixes that arise will be fixed accordingly on the already existing API surface.

Xiretza commented 1 year ago

That message is from before the repo was archived.