-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade (or replace) *ring* #11
Labels
dependencies
Pull requests that update a dependency file
Comments
I released a full I'd say it's a bit "bleeding edge" to swap out immediately, but I know some people who want to play with it, so I'll let you know how that goes. |
tarcieri
pushed a commit
to tendermint/tmkms
that referenced
this issue
Oct 18, 2019
This commit updates `signatory` and `yubihsm` to the latest versions. This requires either upgrading *ring* to 0.16, or replacing it: informalsystems/tendermint-rs#11 This commit has opted to replace it with the (i.e. my) `chacha20poly1305` crate: https://github.com/RustCrypto/AEADs/tree/master/chacha20poly1305 While *ring* is a great crate with excellent cryptographic implementations, the inability to link two versions of `ring-asm` is a major impediment to doing upgrades, as it requires updating all *ring*-dependent dependencies at once, or not at all, which so far has been a major blocker and has been stalling KMS development for awhile. As we're only using it for ChaCha20Poly1305, it seems like a rather heavyweight dependency just to serve that one purpose.
This was referenced Nov 6, 2019
The dependency was removed in a47430a. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The ring crate (BoringSSL crypto primitives wrapped in Rust) is two versions out-of-date (currently 0.14, latest 0.16), and unfortunately like most other Rust crates, does not allow two versions to be linked simultaneously. I just updated Signatory and yubihsm-rs to use ring 0.16, but they're presently incompatible with the KMS due to the older version used by this crate:
All ring is used for is the ChaCha20Poly1305 implementation, which for me it seems like a particularly heavyweight dependency if we're only using it for that.
I've been contributing to the
chacha20
crate as part of RustCrypto stream ciphers, which provides a potential replacement.The text was updated successfully, but these errors were encountered: