ed25519-dalek icon indicating copy to clipboard operation
ed25519-dalek copied to clipboard

Published 20 hours ago verified publisher icon dalek-cryptography

Update rand, rand-core (and merlin)

Open bltavares opened this issue 4 years ago • 8 comments

Updates rand and rand-core to their latest versions. It also requires updating merlin to their latest version to match the rand dependencies.

This PR contains commits from https://github.com/dalek-cryptography/ed25519-dalek/pull/156

Closes https://github.com/dalek-cryptography/ed25519-dalek/pull/156

bltavares avatar Feb 01 '21 00:02 bltavares

A needed change but would be technically breaking unless a version range like >=0.7, <0.9 is used.

robjtede avatar Mar 02 '21 11:03 robjtede

This crate could easily prevent such breaking changes by re-exporting crates that are used by its public API such as rand. I made a PR to fix this https://github.com/dalek-cryptography/ed25519-dalek/pull/159.

Well-maintained crates are doing this, e.g. secp256k1.

toxeus avatar Mar 02 '21 11:03 toxeus

This crate could easily prevent such breaking changes by re-exporting crates that are used by its public API such as rand

It'd still be a breaking change though, as users could still use rand without going through the public re-export. It'd still be a good idea for usability reasons though.

roblabla avatar Mar 02 '21 13:03 roblabla

Agreed, the user can always shoot herself in the foot. There's no silver bullet but it would be at least an improvement.

toxeus avatar Mar 02 '21 13:03 toxeus

Bump. I'm currently keeping rand 0.7 around for dalek-cryptography, and it's causing me a bit of trouble, as the rest of the ecosystem is moving towards rand 0.8. Is there any way I can help moving this forward? merlin seems to have been updated (docs.rs lists latest version, 3.0.0, as using the correct version of rand). What are the remaining steps?

roblabla avatar Jun 11 '21 14:06 roblabla

This project's maintenance seems to have dropped significantly. No activity by the maintainers on pull-requests and no commits since September 2020. I'm considering to maintain a fork and make sure that dependency updates land in a timely manner which is not really difficult using the auto-update tooling widely available (renovate-bot, dependa-bot, etc.). Let me know if there's interest. That might help my motivation :)

toxeus avatar Jul 08 '21 14:07 toxeus

I'm considering to maintain a fork

This has already happened for the primary dependency of this crate: curve25519-dalek: https://github.com/zkcrypto/curve25519-dalek-ng

There is an open issue about forking ed25519-dalek into the same organization: https://github.com/zkcrypto/curve25519-dalek-ng/issues/8

thomaseizinger avatar Jul 16 '21 03:07 thomaseizinger

I've migrated to https://github.com/jedisct1/rust-ed25519-compact. It's well maintained and works great.

toxeus avatar Jun 22 '22 20:06 toxeus

All deps have been updated in the release/2.0 branch. We will be cutting a prerelease soon.

rozbb avatar Dec 21 '22 20:12 rozbb