Open nwalfield opened 11 months ago
FYI I've renamed this issue in an attempt to capture the problem, rather than a solution, especially since I at least feel that that solution doesn't quite work for your problem.
Normally asserting that a single package exists is because of symbols (sys packages) or because of some globals.
cargo deny
is a third-party subcommand that can lint for duplicate packages with an allowlist (iirc).
This is more about keeping packages in-sync with each other which is more of rust-lang/rust#44663 though we need to re-think the automatically keeping packages in-sync part because we found that to have a lot of problems and is what has stalled that from being implemented for years when there would be benefits from the other parts of that RFC.
Thanks for the quick and thoughtful response.
cargo deny is a third-party subcommand that can lint for duplicate packages with an allowlist (iirc).
This doesn't work well in our case as we (sequoia-openpgp) are a library, but the dependency resolution is done by the application. We could add this to our CI to detect these types of problems early.
This is more about keeping packages in-sync with each other which is more of #44663 though we need to re-think the automatically keeping packages in-sync part because we found that to have a lot of problems and is what has stalled that from being implemented for years when there would be benefits from the other parts of that RFC.
I think you mean to link to https://github.com/rust-lang/rust/issues/44663, and that does look relevant. Thanks for pointing that out.
Ah, the part that I missed was win-crypto-ng's Cargo.toml
rand_core = { version = ">= 0.5, <0.7", optional = true }
I think we have an issue about doing a better job of resolving these ranges but not finding it atm.
Problem
Version 1.16.0 of sequoia-openpgp depends on
win-crypto-ng
(version0.4
or0.5
), anded25519-dalek
(version1
).ed25519-dalek depends on version 0.5 of
rand_core
and 0.7 ofrand
.Version 0.5.1 of
win-crypto-ng
depends onrand_core
0.5 or 0.6. (0.5.0 depended only on version 0.5 of rand_core.)We call
ed25519_dalek::Keypair::generate
. It takes a parameter, which has to implementrand::CryptoRng
andrand::RngCore
. These traits are taken fromrand
0.7, which just reexports the symbols fromrand_core
0.5.We provide
ed25519_dalek::Keypair::generate
awin_crypto_ng::RandomNumberGenerator
.RandomNumberGenerator
, which implementsrand_core::CryptoRng
andrand_core::RngCore
. When it usesrand_core
0.6, these traits of course come fromrand_core
0.6.As reported in this issue,
cargo
pulls inrand_core
0.5 fored25519
, andrand_core
0.6 forwin-crypto-ng
.This results in errors like:
Is there a way to express to cargo that
ed25519-dalek
andwin-crypto-ng
need to use the same version ofrand_core
?Do you have any other recommendations on how we / our users should work around this issue?
Thanks!
Steps
Build
sequoia-openpgp
on Windows with the Windows CNG crypto backend:The results can be seen in this CI job.
Possible Solution(s)
No response
Notes
No response
Version