Skip to content

Commit

Permalink
zeroize: Allow versions newer than 1.3 for curve25519-dalek (solana…
Browse files Browse the repository at this point in the history
…-labs#33516)

`curve25519-dalek` v3.2.1 has a constraint on the maximum `zeroize`
version to be no more than 1.3.

At the same time, `cargo` does not want to construct a dependency graph
with duplicate instances of a crate, when the first non-zero version of
those instances are the same.  That is, it refuses to build a workspace
with both 1.3 and 1.4 versions of `zeroize`.

`zeroize` is actually backward compatible, and `curve25519-dalek`
restriction is overly pessimistic.  These packages lifted this
restriction in newer versions, but we still depend on older version and
can not immediately update.
  • Loading branch information
ilya-bobyr authored Oct 23, 2023
1 parent 54b796f commit a099c7a
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 2 deletions.
3 changes: 1 addition & 2 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

33 changes: 33 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -492,3 +492,36 @@ solana-zk-token-sdk = { path = "zk-token-sdk" }
[patch.crates-io.aes-gcm-siv]
git = "https://github.com/RustCrypto/AEADs"
rev = "6105d7a5591aefa646a95d12b5e8d3f55a9214ef"

# Our dependency tree has `curve25519-dalek` v3.2.1. They have removed the
# constrain in the next major release. Commit that removes `zeroize` constrain
# was added to multiple release branches. Bot not to the 3.2 branch.
#
# `curve25519-dalek` maintainers are saying they do not want to invest any more
# time in the 3.2 release:
#
# https://github.com/dalek-cryptography/curve25519-dalek/issues/452#issuecomment-1749809428
#
# So we have to fork and create our own release, based on v3.2.1. Commit that
# removed `zeroize` constrain on the `main` branch cherry picked on top of the
# v3.2.1 release.
#
# `curve25519-dalek` v3.2.1 release:
#
# https://github.com/dalek-cryptography/curve25519-dalek/releases/tag/3.2.1
#
# Corresponds to commit
#
# https://github.com/dalek-cryptography/curve25519-dalek/commit/29e5c29b0e5c6821e4586af58b0d0891dd2ec639
#
# Comparison with `c14774464c4d38de553c6ef2f48a10982c1b4801`:
#
# https://github.com/dalek-cryptography/curve25519-dalek/compare/3.2.1...solana-labs:curve25519-dalek:c14774464c4d38de553c6ef2f48a10982c1b4801
#
# Or, using the branch name instead of the hash:
#
# https://github.com/dalek-cryptography/curve25519-dalek/compare/3.2.1...solana-labs:curve25519-dalek:3.2.1-unpin-zeroize
#
[patch.crates-io.curve25519-dalek]
git = "https://github.com/solana-labs/curve25519-dalek.git"
rev = "c14774464c4d38de553c6ef2f48a10982c1b4801"

0 comments on commit a099c7a

Please sign in to comment.