Is `tiny-keccak` crate unmaintained?

semiotic-ai / timeline-aggregation-protocol

A fast, efficient and trust-minimized unidirectional micro-payments system.

Apache License 2.0

14 stars 3 forks source link

Is `tiny-keccak` crate unmaintained? #47

Closed aasseman closed 1 year ago

aasseman commented 1 year ago

https://github.com/debris/tiny-keccak was last updated in June 2020. It may be completely unmaintained, and thus may pose a security risk.

Not sure what action should be taken though. It may be fine.

_Originally posted by @aasseman in https://github.com/semiotic-ai/timeline_aggregation_protocol/pull/38#discussion_r1162179761_

ColePBryan commented 1 year ago

I ran a cargo audit on the repo and didn't get any issues regarding tiny-keccak. Also tiny-Keccak is used by ether-rs, the library we would be using if we didn't implement to key to address translation ourselves.

Not that either of these guarantees security, just noting where we are at so far.

https://github.com/gakonst/ethers-rs/blob/master/Cargo.toml#L99

severiano-sisneros commented 1 year ago

The RustCrypto project maintains a Keccak implementation. We're using their secp256k1 ECC implementation.

Although I see that tiny-keccak is also used by ether-core for the EIP712 functionality we're importing, i.e. we're already using tiny-keccak.

aasseman commented 1 year ago

@severiano-sisneros so that means we can close this?