Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade zeroize dep #8

Closed
k-bx opened this issue Apr 25, 2023 · 5 comments
Closed

Upgrade zeroize dep #8

k-bx opened this issue Apr 25, 2023 · 5 comments

Comments

@k-bx
Copy link

k-bx commented Apr 25, 2023

I can't upgrade some of my project's deps due to curve25519-dalek requiring zeroize < 1.4. Is it possible to support later versions of zeroize?

@k-bx k-bx mentioned this issue Apr 25, 2023
@jrose-signal
Copy link
Contributor

We've been waiting for upstream to release curve25519-dalek 4.0, which updates a bunch of dependencies: dalek-cryptography/curve25519-dalek#405. If that doesn't happen soon though maybe we can take this; the original reason for pinning it (again, upstream) was a disagreement about whether MSRV breaks should be semver breaks, and upstream has given up on that.

@jrose-signal
Copy link
Contributor

(This finally happened!)

@k-bx
Copy link
Author

k-bx commented Oct 6, 2023

@jrose-signal apologies for the confusion. I see the zeroize requirement is still there, and I also see there was a revert commit https://github.com/signalapp/curve25519-dalek/commits/lizard2 in here. Shall I re-open this issue? Or am I doing it wrong? Still getting an error when trying to depend on the latest presage:

cargo check --tests
    Updating git repository `https://github.com/whisperfish/presage/`
    Updating git repository `https://github.com/whisperfish/libsignal-service-rs`
    Updating crates.io index
    Updating git repository `https://github.com/signalapp/libsignal`
    Updating git repository `https://github.com/signalapp/curve25519-dalek`
error: failed to select a version for `zeroize`.
    ... required by package `curve25519-dalek v4.0.0 (https://github.com/signalapp/curve25519-dalek?tag=signal-curve25519-4.0.0#463e5c7c)`
    ... which satisfies git dependency `curve25519-dalek` of package `zkgroup v0.9.0 (https://github.com/signalapp/libsignal?tag=v0.32.0#72f046fe)`
    ... which satisfies git dependency `zkgroup` of package `libsignal-service v0.1.0 (https://github.com/whisperfish/libsignal-service-rs?rev=8305357#8305357c)`
    ... which satisfies git dependency `libsignal-service` of package `presage v0.6.0-dev (https://github.com/whisperfish/presage/?rev=e3a6084cb573ab9eaccdd8b6c8994bd26862b058#e3a6084c)`
    ... which satisfies git dependency `presage` of package `signal-worker v0.1.0 (/Users/kon/workspace/myproj/signal-worker)`
versions that meet the requirements `^1` (locked to 1.3.0) are: 1.3.0

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.6.0`
    ... which satisfies dependency `zeroize = "^1.6.0"` of package `presage-store-cipher v0.1.0 (https://github.com/whisperfish/presage/?rev=e3a6084cb573ab9eaccdd8b6c8994bd26862b058#e3a6084c)`
    ... which satisfies git dependency `presage-store-cipher` of package `signal-worker v0.1.0 (/Users/kon/workspace/myproj/signal-worker)`

failed to select a version for `zeroize` which could resolve this conflict

@jrose-signal
Copy link
Contributor

We're on the main branch now, because we realized our references to lizard2 in the libsignal-client sources meant we could never introduce breaking changes without breaking older versions of libsignal. (Thanks for the reminder to update our GitHub default branch.)

You can see curve25519-dalek is no longer the problem because of the listing of "requirements ^1". I'm not sure what the "locked to 1.3.0" indicates in this error message, though. Is it possible that that's in your lockfile, and you have a setting that keeps that from being automatically updated?

@k-bx
Copy link
Author

k-bx commented Oct 6, 2023

Apologies, doing this helped:

[patch.crates-io]
curve25519-dalek = { git = 'https://github.com/signalapp/curve25519-dalek', tag = 'signal-curve25519-4.0.0' }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

2 participants