Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Outdated version of zeroize forced in aes-gcm-siv #377

Closed
mervyn-mccreight opened this issue Dec 14, 2021 · 11 comments
Closed

Outdated version of zeroize forced in aes-gcm-siv #377

mervyn-mccreight opened this issue Dec 14, 2021 · 11 comments

Comments

@mervyn-mccreight
Copy link

Currently the version of zeroize is required to be < 1.4 which conflicts with the latest version of secrecy, which needs zeroice to be >= 1.4.

Is there a reason why zeroize is explicitly needed in that version, or can it be updated?
@tarcieri
Copy link
Member

It's a hack to preserve the current MSRV.

I agree it's less than ideal. Unfortunately Rust does not provide other mechanisms to select MSRV-compatible packages yet.

@mervyn-mccreight
Copy link
Author

Ah I see, thanks.
Is being compatible to Rust < 1.51 a strict requirement, or is it something that is open to change?

@tarcieri
Copy link
Member

We should definitely bump MSRV soon. Now that the 2021 edition is out, it would probably be good to bump all of our crates.

One of the many things the 2021 edition helps with is having a rust-version crate attribute which helps sort out MSRV-related issues like this.

@newpavlov
Copy link
Member

Is being compatible to Rust < 1.51 a strict requirement

It's not, but we consider bumping MSRV being a breaking change.

Regarding rust-version, I don't think that until rust-lang/cargo#9930 gets implemented we should change our MSRV policy.

@mervyn-mccreight
Copy link
Author

Thanks for the detailed explanation :)

Are PRs to bump the version of zeroice plus increasing the defined MSRV welcome, or do you think that this may not be a good "first issue"?

@tarcieri
Copy link
Member

For something like an edition bump, it'd be nice to do in a coordinated manner across crates/repos

@fjarri
Copy link
Contributor

fjarri commented Jan 16, 2022
edited
Loading

Since this issue is still open, how about bumping zeroize to 1.5 (so that it doesn't conflict with the new elliptic-curves, and, I assume, other RustCrypto crates as well)? (the crate I use from AEADs is chacha20poly1305, so hopefully this issue applies to it too)

@tarcieri
Copy link
Member

tarcieri commented Jan 17, 2022
edited
Loading

@fjarri it's going to be a giant pain, since we need to do coordinated bumps of all of the dependencies, likely starting with cipher v0.4: RustCrypto/traits#849

Is Cargo not able to resolve the dependencies such that zeroize is 1.4?

@newpavlov
Copy link
Member

cipher itself does not depend on zeroize, so I think we can simply bump MSRV for implementation crates during migration to cipher v0.4.

35359595 added a commit to jolocom/ddoresolver-rs that referenced this issue Jan 26, 2022
@35359595
minor version bump - did-key revert until RustCrypto/AEADs#377 is res…
557cde7 
…olved
@tarcieri
Copy link
Member

FYI: I've opened a tracking issue for zeroize version compatibility here: RustCrypto/utils#723

@Slesarew Slesarew mentioned this issue Feb 10, 2022
Closed
@tarcieri tarcieri mentioned this issue Apr 25, 2022
Closed
@tarcieri
Copy link
Member

tarcieri commented May 1, 2022

I've released aes-gcm-siv v0.11.0-pre with an unpinned zeroize, which should unblock people who are stuck on compatibility.

Please see #410 for additional upgrades needed for a final release.

@tarcieri tarcieri closed this as completed May 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tarcieri @fjarri @newpavlov @mervyn-mccreight