Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zeroize 1.4.0 breaks compilations on < rust 1.51 #74

Closed
Cashmaney opened this issue Jul 20, 2021 · 4 comments
Closed

Zeroize 1.4.0 breaks compilations on < rust 1.51 #74

Cashmaney opened this issue Jul 20, 2021 · 4 comments
Assignees
@isislovecruft

Comments

@Cashmaney
Copy link

Hey,

The change to zeroize 1.4.0 here breaks builds for anyone using an older Rust version. Any chance to pin zeroize to 1.3.0 to maintain compatibility?
isislovecruft added a commit to isislovecruft/x25519-dalek that referenced this issue Sep 13, 2021
@isislovecruft
Pin zeroize to 1.3 for now to support older MSRVs.
adbd0e3 
I reserve the right to change this between minor version changes in x25519-dalek.

This closes dalek-cryptography#74
@isislovecruft isislovecruft self-assigned this Sep 13, 2021
@isislovecruft
Copy link
Member

Added in x25519-dalek v1.2.0 but I reserve the right to change/update it between minor versions of x25519-dalek.

@str4d
Copy link

str4d commented Jun 18, 2022

Pinning zeroize = "=1.3" was an invalid resolution to this issue, which was in fact not a problem with x25519-dalek.

The previously-expressed zeroize = "1" dependency allowed downstream users to use whatever zeroize version they needed for their MSRV requirements. All that needed to be done for MSRV compatibility was to not have a zeroize = "1.4" dependency.

The current zeroize = "=1.3" pin instead breaks compilation for newer-MSRV users who have zeroize 1.4 elsewhere in their dependency tree (see #89), preventing upgrades to x25519-dalek 1.2.0.

The correct place to pin zeroize = "<1.4" for older MSRV support would be in @Cashmaney's Cargo.toml (or concretely in a Cargo.lock).

@str4d str4d mentioned this issue Jun 20, 2022
Closed
nph4rd referenced this issue in nph4rd/x25519-dalek Jun 25, 2022
@nph4rd
Reset zeroize dependency to "1"
8e949ba 
As mentioned in the upstream repository [1], setting `zeroize`
to `=1.3` breaks compilation for some users. Leaving it at `"1"`
is actually less restrictive, and users are able to pin the
`zeroize` dependency version to any specific `1.*` version.

[1] - `https://github.com/dalek-cryptography/x25519-dalek/issues/74#issuecomment-1159481280`
@elichai
Copy link

elichai commented Mar 20, 2023

This turned that problem into a new one, for example combining x25519-dalek with chacha20poly1305 you get:

error: failed to select a version for `zeroize`.
    ... required by package `chacha20poly1305 v0.10.1`
    ... which satisfies dependency `chacha20poly1305 = "^0.10.1"` of package `sodot-mpc-infra v0.1.0 (/tmp/cargo-outdatednhNPPE)`
versions that meet the requirements `^1.5` are: 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.3.0`
    ... which satisfies dependency `zeroize = "=1.3"` of package `x25519-dalek v1.2.0`
    ... which satisfies dependency `x25519-dalek = "^1.2.0"` of package `sodot-mpc-infra v0.1.0 (/tmp/cargo-outdatednhNPPE)`

failed to select a version for `zeroize` which could resolve this conflict

@tarcieri
Copy link
Contributor

tarcieri commented Mar 20, 2023
edited
Loading

@elichai check the release/2.0 branch which unpins it to 1

@rozbb we should really merge release/2.0 into main so people stop filing issues about this

@aumetra aumetra mentioned this issue Jul 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@isislovecruft isislovecruft

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tarcieri @isislovecruft @elichai @str4d @Cashmaney