-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zeroize: Allow versions newer than 1.3 for curve25519-dalek
#33516
zeroize: Allow versions newer than 1.3 for curve25519-dalek
#33516
Conversation
Codecov Report
@@ Coverage Diff @@
## master #33516 +/- ##
=========================================
- Coverage 81.8% 81.8% -0.1%
=========================================
Files 806 806
Lines 217428 217428
=========================================
- Hits 178058 178047 -11
- Misses 39370 39381 +11 |
Thanks ser, you save me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great! super helpful. avoids a ton of headaches! Thank you!
People were already looking at it: #32836 |
was there an attempt to work with upstream in either of these cases before vendoring? vendoring should really be a last resort if we have to take this route, ideally put the vendored crates in in separate PRs to make the revert simple |
Here is a thread with dalek-cryptography/curve25519-dalek#452 (comment) They do not seem to be interested in doing another release.
I'll split |
Split |
curve25519-dalek
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. But ya with what trent said, I'm not sure how people feel about vendoring. This definitely solves a big headache with versioning though.....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me. It doesn't seem like it'll be possible upstream the change, and we'll likely need to keep dalek v1 in our public API for a long time to come, so we likely want this change when we include both dalek v2 and v1. I would get @t-nelson's approval too since he had reservations.
seems fine since upstream doesn't want to play ball.
given that we're going to try to take monorepo to 2.0 in 1.19, i'm hoping we'll never need to formally support v2 and our api can instead be purely based on traits that can be implemented externally |
`curve25519-dalek` v3.2.1 has a constraint on the maximum `zeroize` version to be no more than 1.3. At the same time, `cargo` does not want to construct a dependency graph with duplicate instances of a crate, when the first non-zero version of those instances are the same. That is, it refuses to build a workspace with both 1.3 and 1.4 versions of `zeroize`. `zeroize` is actually backward compatible, and `curve25519-dalek` restriction is overly pessimistic. This packages lifted this restriction in newer versions, but we still depend on older version and can not immediately update.
Moved the fork to https://github.com/solana-labs/curve25519-dalek and rebased on top of the merged #33618. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. thank you!
…33930) Fixes commit a099c7a Author: Illia Bobyr <[email protected]> Date: Mon Oct 23 12:19:59 2023 -0700 zeroize: Allow versions newer than 1.3 for `curve25519-dalek` (#33516) Use correct commit hash from `solana-labs/curve25519-dalek.git`.
…-labs#33516) `curve25519-dalek` v3.2.1 has a constraint on the maximum `zeroize` version to be no more than 1.3. At the same time, `cargo` does not want to construct a dependency graph with duplicate instances of a crate, when the first non-zero version of those instances are the same. That is, it refuses to build a workspace with both 1.3 and 1.4 versions of `zeroize`. `zeroize` is actually backward compatible, and `curve25519-dalek` restriction is overly pessimistic. These packages lifted this restriction in newer versions, but we still depend on older version and can not immediately update.
…olana-labs#33930) Fixes commit a099c7a Author: Illia Bobyr <[email protected]> Date: Mon Oct 23 12:19:59 2023 -0700 zeroize: Allow versions newer than 1.3 for `curve25519-dalek` (solana-labs#33516) Use correct commit hash from `solana-labs/curve25519-dalek.git`.
…-labs#33516) `curve25519-dalek` v3.2.1 has a constraint on the maximum `zeroize` version to be no more than 1.3. At the same time, `cargo` does not want to construct a dependency graph with duplicate instances of a crate, when the first non-zero version of those instances are the same. That is, it refuses to build a workspace with both 1.3 and 1.4 versions of `zeroize`. `zeroize` is actually backward compatible, and `curve25519-dalek` restriction is overly pessimistic. These packages lifted this restriction in newer versions, but we still depend on older version and can not immediately update.
…olana-labs#33930) Fixes commit a099c7a Author: Illia Bobyr <[email protected]> Date: Mon Oct 23 12:19:59 2023 -0700 zeroize: Allow versions newer than 1.3 for `curve25519-dalek` (solana-labs#33516) Use correct commit hash from `solana-labs/curve25519-dalek.git`.
Problem
curve25519-dalek
v3.2.1 has a constraint on the maximumzeroize
version to be no more than 1.3.At the same time,
cargo
does not want to construct a dependency graph with duplicate instances of a crate, when the first non-zero version of those instances are the same. That is, it refuses to build a workspace with both 1.3 and 1.4 versions ofzeroize
.zeroize
is actually backward compatible, andcurve25519-dalek
restriction is overly pessimistic. This package lifted this restriction in newer versions, but we still depend on older version and can not immediately update.Summary of Changes
Use a patched version based on v3.2.1 that also removes the unnecessary constraint.