-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.18: Use updated branch for curve25519-dalek #1939
Conversation
RUSTSEC-2024-0344 was announced so update to a branch that contains the commits that were created in response to the advisory. We must do this manually as the v1.18 branch is built against curve25519-dalek 3.2.1; this is not the latest major release and the maintainers have chosen not to push changes to their older release branches
ci: ignore curve25519-dalek audit
ci/do-audit.sh
Outdated
# curve25519-dalek | ||
# Patches to address the advisory have been pulled into a fork of the repo. | ||
# See Cargo.toml for more information | ||
--ignore RUSTSEC-2024-0344 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Someone please sanity check me here that it is ok / proper to ignore the advisory since we pulled the commits in ourselves
Also, FWIW, the change to ignore the advisory in CI is present in v2.0; it landed before we cut the branch: Technically, master is currently building against a version of ed25519-dalek that does NOT have the commits to address the security advisory. That is, master is built against this branch: Lines 533 to 535 in b97fa99
which corresponds to this branch: https://github.com/anza-xyz/curve25519-dalek/tree/3.2.1-unpin-zeroize This PR branch is proposing to build v1.18 against this The branch here cherry-picked two additional commits, the commits that address the security advisory that we're ignoring |
Approved for merging over red CI. It's just the downstream projects check that's failing. See #1960 and #releng discussion for context |
Problem
RUSTSEC-2024-0344 was announced so update to a branch that contains the commits that were created in response to the advisory.
We must do this manually as the v1.18 branch is built against curve25519-dalek 3.2.1; this is not the latest major release and the maintainers have chosen not to push changes to their older release branches
Summary of Changes
Update to a branch that contains the zeroize commit, as well as the new security advisory commits