Increase MSRV to allow for Zeroize > 1.4 #388
Comments
|
I, too, am curious about this. |
|
What is the problem? Why are setting <1.4 restriction on Zeroize? |
|
We are hitting this in the |
|
Hitting a similar issue to @k0nserv at work with the aws-sdk crates which require zeroize ^1.4. It's very common in the Cargo ecosystem for MSRV bumps to exist in minor versions. If users of the crate wish to remain on an outdated compiler, they are able to solve MSRV problems themselves by pinning deps (even deep ones) in their own application's manifest. |
|
Same problem here with aws-sdk crates and ethereum web3 crates |
|
Just linking to the issue that established this pinned version: #362 |
|
This is now resolved in the |
|
@rozbb When can we expect a release here? I think for many folks this problem remains unresolved until a release is made(pointing to GitHub will not work well in libraries I think). Thanks for working on this by the way, really appreciate it |
|
@k0nserv see open items under https://github.com/dalek-cryptography/curve25519-dalek/labels/do-for-4.0 Also: #405 |
It’s been nearly 4 years since the release of Rust 1.41 so there’s no point in point in keeping such a low MSRV. Issue dalek-cryptography#362 which was the reason for pinning is over two years old. Issue dalek-cryptography#388 sasy that: > This is now resolved in the release/4.0 branch. Next release (or > prerelease) will have a laxer zeroize dependency. however, not everyone has the luxury of migrating to 4.x branch. 3.x release of the crate is pulled in through third party dependency whose update plan is unknown. Meanwhile, pinning zeroize causes build failure as pointed in aforecited issues as well as shown below: error: failed to select a version for `zeroize`. ... required by package `curve25519-dalek v3.2.1` ... which satisfies dependency `curve25519-dalek = "^3.2.1"` of package `solana-program v1.17.6` ... which satisfies dependency `solana-program = "^1.16.14"` (locked to 1.17.6) of package `…` versions that meet the requirements `>=1, <1.4` are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0 Unpin zeroize crate and update MSRV to 1.60 which is current MSRV of zeroize and a 20 month old Rust release.
It’s been nearly 4 years since the release of Rust 1.41 so there’s no point in point in keeping such a low MSRV. Issue dalek-cryptography#362 which was the reason for pinning is over two years old. From issue dalek-cryptography#388 we know that: > This is now resolved in the release/4.0 branch. Next release (or > prerelease) will have a laxer zeroize dependency. however, not everyone has the luxury of migrating to 4.x. 3.x may be pulled in through third party dependency whose update plan is unknown. Meanwhile, pinning zeroize causes build failure as pointed in aforecited issues as well as shown below: error: failed to select a version for `zeroize`. ... required by package `curve25519-dalek v3.2.1` ... which satisfies dependency `curve25519-dalek = "^3.2.1"` of package `solana-program v1.17.6` ... which satisfies dependency `solana-program = "^1.16.14"` (locked to 1.17.6) of package `…` versions that meet the requirements `>=1, <1.4` are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0 Unpin zeroize crate and update MSRV to 1.60 which is current MSRV of zeroize and a 20 month old Rust release.
It’s been nearly 4 years since the release of Rust 1.41 so there’s no point in point in keeping such a low MSRV. Issue dalek-cryptography#362 which was the reason for pinning is over two years old. From issue dalek-cryptography#388 we know that: > This is now resolved in the release/4.0 branch. Next release (or > prerelease) will have a laxer zeroize dependency. however, not everyone has the luxury of migrating to 4.x. 3.x may be pulled in through third party dependency whose update plan is unknown. Meanwhile, pinning zeroize causes build failure as pointed in aforecited issues as well as shown below: error: failed to select a version for `zeroize`. ... required by package `der v0.7.8` ... which satisfies dependency `der = "^0.7"` (locked to 0.7.8) of package `pkcs8 v0.10.2` ... which satisfies dependency `pkcs8 = "^0.10"` (locked to 0.10.2) of package `ed25519 v2.2.3` ... which satisfies dependency `ed25519 = "^2"` (locked to 2.2.3) of package `tendermint v0.34.0` ... which satisfies dependency `tendermint = "^0.34.0"` (locked to 0.34.0) of package `ibc-testkit v0.48.1` ... which satisfies dependency `ibc-testkit = "^0.48.1"` (locked to 0.48.1) of package `…` versions that meet the requirements `^1.5` are: 1.7.0, 1.6.0, 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3 Unpin zeroize crate and update MSRV to 1.60 which is current MSRV of zeroize and a 20 month old Rust release.
Hi, is there any chance we can increase the minimum supported rust version and zeroize to > 1.4? It conflicts with a lot of other crates. Thanks!
Based on what i'm seeing here: Devolutions/picky-rs#140 (comment)
The text was updated successfully, but these errors were encountered: