signalapp/curve25519-dalek

Upgrade zeroize dep

k-bx opened this issue · 5 comments

k-bx commented

I can't upgrade some of my project's deps due to curve25519-dalek requiring zeroize < 1.4. Is it possible to support later versions of zeroize?

jrose-signal commented

We've been waiting for upstream to release curve25519-dalek 4.0, which updates a bunch of dependencies: dalek-cryptography/curve25519-dalek#405. If that doesn't happen soon though maybe we can take this; the original reason for pinning it (again, upstream) was a disagreement about whether MSRV breaks should be semver breaks, and upstream has given up on that.

  • 👍1
jrose-signal commented

(This finally happened!)

k-bx commented

@jrose-signal apologies for the confusion. I see the zeroize requirement is still there, and I also see there was a revert commit https://github.com/signalapp/curve25519-dalek/commits/lizard2 in here. Shall I re-open this issue? Or am I doing it wrong? Still getting an error when trying to depend on the latest presage:

cargo check --tests
    Updating git repository `https://github.com/whisperfish/presage/`
    Updating git repository `https://github.com/whisperfish/libsignal-service-rs`
    Updating crates.io index
    Updating git repository `https://github.com/signalapp/libsignal`
    Updating git repository `https://github.com/signalapp/curve25519-dalek`
error: failed to select a version for `zeroize`.
    ... required by package `curve25519-dalek v4.0.0 (https://github.com/signalapp/curve25519-dalek?tag=signal-curve25519-4.0.0#463e5c7c)`
    ... which satisfies git dependency `curve25519-dalek` of package `zkgroup v0.9.0 (https://github.com/signalapp/libsignal?tag=v0.32.0#72f046fe)`
    ... which satisfies git dependency `zkgroup` of package `libsignal-service v0.1.0 (https://github.com/whisperfish/libsignal-service-rs?rev=8305357#8305357c)`
    ... which satisfies git dependency `libsignal-service` of package `presage v0.6.0-dev (https://github.com/whisperfish/presage/?rev=e3a6084cb573ab9eaccdd8b6c8994bd26862b058#e3a6084c)`
    ... which satisfies git dependency `presage` of package `signal-worker v0.1.0 (/Users/kon/workspace/myproj/signal-worker)`
versions that meet the requirements `^1` (locked to 1.3.0) are: 1.3.0

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.6.0`
    ... which satisfies dependency `zeroize = "^1.6.0"` of package `presage-store-cipher v0.1.0 (https://github.com/whisperfish/presage/?rev=e3a6084cb573ab9eaccdd8b6c8994bd26862b058#e3a6084c)`
    ... which satisfies git dependency `presage-store-cipher` of package `signal-worker v0.1.0 (/Users/kon/workspace/myproj/signal-worker)`

failed to select a version for `zeroize` which could resolve this conflict
jrose-signal commented

We're on the main branch now, because we realized our references to lizard2 in the libsignal-client sources meant we could never introduce breaking changes without breaking older versions of libsignal. (Thanks for the reminder to update our GitHub default branch.)

You can see curve25519-dalek is no longer the problem because of the listing of "requirements ^1". I'm not sure what the "locked to 1.3.0" indicates in this error message, though. Is it possible that that's in your lockfile, and you have a setting that keeps that from being automatically updated?

k-bx commented

Apologies, doing this helped:

[patch.crates-io]
curve25519-dalek = { git = 'https://github.com/signalapp/curve25519-dalek', tag = 'signal-curve25519-4.0.0' }