Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace deprecated rust-crypto dep with RustCrypto org packages #719

Merged
merged 6 commits into from
Mar 2, 2021
Merged

Replace deprecated rust-crypto dep with RustCrypto org packages #719

merged 6 commits into from
Mar 2, 2021

Conversation

adizere
Copy link
Member

@adizere adizere commented Mar 1, 2021
edited
Loading

Closes: #352
Closes: #720

Description

Our security audits are starting to fail:
https://github.com/informalsystems/ibc-rs/runs/2006092577?check_suite_focus=true

After a brief search, I choose to use crates from https://github.com/RustCrypto. Their crates seem to be maintained (repos had activity within the last few hours/days).

  • Note that we're still depending on rust-crypto transitively via bitcoin-wallet v1.1.0. hence the security audit still fails. h/t @romac for suggesting tiny-bip39 to replace bitcoin-wallet.
  • Also removed dependency ics23 since we didn't use it and triggered audit failure (see RUSTSEC-2020-0146: arr! macro erases lifetimes #720). Maintainers of ics23 are aware of the problem (ics23/#37).

For contributor use:

  • Updated the Unreleased section of CHANGELOG.md with the issue.
  • If applicable: Unit tests written, added test to CI.
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
  • Updated relevant documentation (docs/) and code comments.
  • Re-reviewed Files changed in the Github PR explorer.

@romac romac changed the title Replacer deprecated rust-crypto dep with RustCrypto org packages Replace deprecated rust-crypto dep with RustCrypto org packages Mar 2, 2021
@romac
Copy link
Member

romac commented Mar 2, 2021
edited
Loading

As we only use bitcoin-wallet for BIP39 mnemonics, I suggest we switch over to https://lib.rs/crates/tiny-bip39 which provides just the functionality we need. Of course we should first check if that crate passes the cargo-audit check.

@adizere adizere merged commit bdd5c2b into master Mar 2, 2021
@adizere adizere deleted the adi/352_crypto branch March 2, 2021 10:45
@adizere adizere linked an issue Mar 2, 2021 that may be closed by this pull request
RUSTSEC-2020-0146: arr! macro erases lifetimes #720
Closed
@adizere adizere mentioned this pull request Sep 29, 2022
Closed
5 tasks
hu55a1n1 pushed a commit to hu55a1n1/hermes that referenced this pull request Sep 13, 2022
@adizere
Replace deprecated rust-crypto dep with RustCrypto org packages (info…
31a59e8 
…rmalsystems#719)

* Replaced rust-crypto dep with RustCrypto org packages.

* changelog

* lockfile

* Replaced bitcoin-wallet with bip39

* FMT

* Removed unused ics23 dep
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@romac romac romac approved these changes

@ancazamfir ancazamfir Awaiting requested review from ancazamfir

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@adizere @romac