Bump `rsa` : `0.5.0` -> `0.6` (!607) · Merge requests · The Tor Project / Core / Arti

arturomf94 requested to merge arturomf94/arti:bump-rsa-version into main Jun 25, 2022

This includes a change in the x25519-dalek dependency to deal with the conflicting zeroize version. This commit pins the dependency to a commit in a fork that has only one single change, as compared to the previous version; namely, that it uses a less-restrictive version of zeroize ("1", instead of =1.3).

This exact problem has already been discussed in the upstream repo here. Furthermore, there is a branch in the upstream repo that already has this change included. However, this branch also has several other changes that would imply, dealing with, for example, compilation errors from arti/crates/tor-llcrypto/src/util/rand_compat.rs.

This MR also includes a change in the maint/downgrade_dependencies script to set zeroize_derive:1.3.2 instead of zeroize_derive:1.1.1. The previous state was failing with:

error: package ID specification `zeroize_derive:1.1.1` did not match any packages
Did you mean one of these?
  zeroize_derive:1.3.2

I believe version 1.3.2 of zeroize_derive has an MSRV of 1.51, judging by the crates.io README.

Note: If we go forward with this I think we should change the fork to point to something different than my personal GitHub account, but I think it serves at least as a PoC, as it is now.

Solves #448 (closed)

Edited Jun 25, 2022 by arturomf94

Bump `rsa` : `0.5.0` -> `0.6`

Merge request reports