rusk icon indicating copy to clipboard operation
rusk copied to clipboard

Published 20 hours ago verified publisher icon dusk-network

Patch freeze external dependencies

Open HDauven opened this issue 5 months ago • 0 comments

Summary

We are currently in a feature freeze as we finalize our mainnet candidate. To make sure we are not at risk of supply-chain attacks or semver breaks, it is necessary to patch-freeze all external dependencies. This step is crucial to prevent unexpected updates or changes in third-party crates that could introduce bugs or vulnerabilities.

The goal is to lock dependencies to specific patch versions across both the Rusk binary and actively developed internal libraries.

Possible solution design or implementation

We need to do 4 things:

  1. Commit the Cargo.lock for the Rusk binary.
  2. Patch-freeze all external libraries for internal libraries. For example, update rkyv = { version = "0.7" } to rkyv = { version = "=0.7.43" }.
  3. Where feasible, move common dependencies into the top-level workspace. This way the members will inherit the same dependency version. See Inheriting a dependency from a workspace.
  4. Resolve any dependency conflict between external libraries which can pop up from version locking.

HDauven avatar Sep 18 '24 08:09 HDauven