From a099c7a0b8ac4281dbc6dd422d697e700c28a7d1 Mon Sep 17 00:00:00 2001 From: Illia Bobyr Date: Mon, 23 Oct 2023 12:19:59 -0700 Subject: [PATCH] zeroize: Allow versions newer than 1.3 for `curve25519-dalek` (#33516) `curve25519-dalek` v3.2.1 has a constraint on the maximum `zeroize` version to be no more than 1.3. At the same time, `cargo` does not want to construct a dependency graph with duplicate instances of a crate, when the first non-zero version of those instances are the same. That is, it refuses to build a workspace with both 1.3 and 1.4 versions of `zeroize`. `zeroize` is actually backward compatible, and `curve25519-dalek` restriction is overly pessimistic. These packages lifted this restriction in newer versions, but we still depend on older version and can not immediately update. --- Cargo.lock | 3 +-- Cargo.toml | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5607935ec2..c1cabdce07 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1464,8 +1464,7 @@ dependencies = [ [[package]] name = "curve25519-dalek" version = "3.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90f9d052967f590a76e62eb387bd0bbb1b000182c3cefe5364db6b7211651bc0" +source = "git+https://github.com/solana-labs/curve25519-dalek.git?rev=c14774464c4d38de553c6ef2f48a10982c1b4801#c14774464c4d38de553c6ef2f48a10982c1b4801" dependencies = [ "byteorder", "digest 0.9.0", diff --git a/Cargo.toml b/Cargo.toml index 53889bf2f4..fb267abb93 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -492,3 +492,36 @@ solana-zk-token-sdk = { path = "zk-token-sdk" } [patch.crates-io.aes-gcm-siv] git = "https://github.com/RustCrypto/AEADs" rev = "6105d7a5591aefa646a95d12b5e8d3f55a9214ef" + +# Our dependency tree has `curve25519-dalek` v3.2.1. They have removed the +# constrain in the next major release. Commit that removes `zeroize` constrain +# was added to multiple release branches. Bot not to the 3.2 branch. +# +# `curve25519-dalek` maintainers are saying they do not want to invest any more +# time in the 3.2 release: +# +# https://github.com/dalek-cryptography/curve25519-dalek/issues/452#issuecomment-1749809428 +# +# So we have to fork and create our own release, based on v3.2.1. Commit that +# removed `zeroize` constrain on the `main` branch cherry picked on top of the +# v3.2.1 release. +# +# `curve25519-dalek` v3.2.1 release: +# +# https://github.com/dalek-cryptography/curve25519-dalek/releases/tag/3.2.1 +# +# Corresponds to commit +# +# https://github.com/dalek-cryptography/curve25519-dalek/commit/29e5c29b0e5c6821e4586af58b0d0891dd2ec639 +# +# Comparison with `c14774464c4d38de553c6ef2f48a10982c1b4801`: +# +# https://github.com/dalek-cryptography/curve25519-dalek/compare/3.2.1...solana-labs:curve25519-dalek:c14774464c4d38de553c6ef2f48a10982c1b4801 +# +# Or, using the branch name instead of the hash: +# +# https://github.com/dalek-cryptography/curve25519-dalek/compare/3.2.1...solana-labs:curve25519-dalek:3.2.1-unpin-zeroize +# +[patch.crates-io.curve25519-dalek] +git = "https://github.com/solana-labs/curve25519-dalek.git" +rev = "c14774464c4d38de553c6ef2f48a10982c1b4801"