Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto_box: zeroize is locked into an old version #33

Closed
jpdoyle opened this issue Jan 27, 2022 · 4 comments
Closed

crypto_box: zeroize is locked into an old version #33

jpdoyle opened this issue Jan 27, 2022 · 4 comments

Comments

@jpdoyle
Copy link

jpdoyle commented Jan 27, 2022
edited
Loading

I have a project using both elliptic-curves and crypto_box, and when I updated elliptic-curves I could no longer build because crypto_box requires zeroize < 1.5. A minimized reproduction is available at https://github.com/jpdoyle/cryptobox-zeroize-issue

The error reported is:

$ cargo build
    Updating crates.io index
error: failed to select a version for `zeroize`.
    ... required by package `xsalsa20poly1305 v0.8.0`
    ... which satisfies dependency `xsalsa20poly1305 = "^0.8"` of package `crypto_box v0.7.0`
    ... which satisfies dependency `crypto_box = "^0.7.0"` of package `cryptobox-zeroize-issue v0.1.0 (/home/joe/Sync/cryptobox-zeroize-issue)`
versions that meet the requirements `>=1, <1.4` are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.5.1`
    ... which satisfies dependency `zeroize = "^1.5"` of package `elliptic-curve v0.11.9`
    ... which satisfies dependency `elliptic-curve = "^0.11.9"` of package `cryptobox-zeroize-issue v0.1.0 (/home/joe/Sync/cryptobox-zeroize-issue)`

failed to select a version for `zeroize` which could resolve this conflict

It looks like fixing this also requires updating xsalsa20poly1305 in https://github.com/RustCrypto/AEADs

My local cargo version is:

$ cargo --version
cargo 1.56.0
@tarcieri
Copy link
Member

This is a problem across all of our projects. We lock zeroize to preserve MSRV, but it's becoming very difficult to maintain across projects.

The best solution for now is probably to revert the changes to elliptic-curve and punt on zeroize updates until the next release.

@tarcieri
Copy link
Member

I've opened a tracking issue for this: RustCrypto/utils#723

@tarcieri
Copy link
Member

@jpdoyle for now I've released a new version of elliptic-curve v0.11 which downgrades the zeroize dependency and will hopefully address your immediate problems

tri-joe added a commit to EspressoSystems/cape that referenced this issue Jan 27, 2022
@tri-joe
Run cargo update
62de758 
The conflict between `elliptic_curves` and `crypto_box` got temporarily
patched. For context, see:
- RustCrypto/nacl-compat#33 (comment)
- RustCrypto/utils#723
tri-joe added a commit to EspressoSystems/cape that referenced this issue Jan 27, 2022
@tri-joe
Run cargo update
adf273c 
Fixes #269

The conflict between `elliptic_curves` and `crypto_box` got temporarily
patched. For context, see:
- RustCrypto/nacl-compat#33 (comment)
- RustCrypto/utils#723
@tri-joe tri-joe mentioned this issue Jan 27, 2022
Closed
@jpdoyle
Copy link
Author

jpdoyle commented Jan 27, 2022

That fixed the immediate issue! thanks a ton.

@jpdoyle jpdoyle closed this as completed Jan 27, 2022
tri-joe added a commit to EspressoSystems/cape that referenced this issue Jan 31, 2022
@tri-joe
Run cargo update
9962f85 
Fixes #269

The conflict between `elliptic_curves` and `crypto_box` got temporarily
patched. For context, see:
- RustCrypto/nacl-compat#33 (comment)
- RustCrypto/utils#723

Apparently ethers:master has been broken for about a week
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @jpdoyle