rust-libp2p icon indicating copy to clipboard operation
rust-libp2p copied to clipboard

Published 20 hours ago verified publisher icon libp2p

RUSTSEC-2021-0137: sodiumoxide is deprecated

Open github-actions[bot] opened this issue 2 years ago • 3 comments

sodiumoxide is deprecated

Details
Status unmaintained
Package sodiumoxide
Version 0.2.7
URL https://github.com/sodiumoxide/sodiumoxide/commit/5bb1dfd2578539b89ffb0cbea25f21f00cfb963e
Date 2021-10-22

Alternatives may be found - not in any specific order:

Recommendations can be also found from:

No direct maintained fork exists.

See advisory page for additional details.

github-actions[bot] avatar Aug 11 '22 00:08 github-actions[bot]

@thomaseizinger , this issue with regards to cryptography isn't major and using ed25519 for edwards key will be a good replacement if any such cryptographic methods are used!

AbhijithGanesh avatar Aug 11 '22 16:08 AbhijithGanesh

@thomaseizinger , this issue with regards to cryptography isn't major and using ed25519 for edwards key will be a good replacement if any such cryptographic methods are used!

I don't think we can just replace this that easily. The noise transport follows a specification (see https://github.com/libp2p/specs).

thomaseizinger avatar Aug 11 '22 22:08 thomaseizinger

Let me review this and amend my PR, I wasn't aware of noise specification.

AbhijithGanesh avatar Aug 12 '22 00:08 AbhijithGanesh

@pinkforest do you have opinions on which alternative to use?

mxinden avatar Aug 13 '22 03:08 mxinden

:) @thomaseizinger and @mxinden you owe me a :tropical_drink: for this .. :ship: PR #2817

You could just continue with sodiumoxide as it's only in testing purposes...

But yeah there are always big concerns what happens with unmaintained stuff

I've sent a PR to use ed25519-compact and libsodium-sys-stable that is the maintained version of libsodium-sys

All are maintained by Frank @jedisct1 who also maintains the libsodium C-library and ed25519-compact

  • https://github.com/jedisct1/libsodium - C-Library
  • https://github.com/jedisct1/libsodium-sys-stable - Stable current maintained :crab: sys crate
  • https://github.com/jedisct1/rust-ed25519-compact

Thanks Frank !

pinkforest avatar Aug 13 '22 07:08 pinkforest

@pinkforest Does that make my PR redundant ? Should I close it?

AbhijithGanesh avatar Aug 15 '22 17:08 AbhijithGanesh