v1.18: Use updated branch for curve25519-dalek #1939
Conversation
RUSTSEC-2024-0344 was announced so update to a branch that contains the commits that were created in response to the advisory. We must do this manually as the v1.18 branch is built against curve25519-dalek 3.2.1; this is not the latest major release and the maintainers have chosen not to push changes to their older release branches
ci: ignore curve25519-dalek audit
ci/do-audit.sh
Outdated
| # curve25519-dalek | ||
| # Patches to address the advisory have been pulled into a fork of the repo. | ||
| # See Cargo.toml for more information | ||
| --ignore RUSTSEC-2024-0344 |
There was a problem hiding this comment.
Someone please sanity check me here that it is ok / proper to ignore the advisory since we pulled the commits in ourselves
|
Also, FWIW, the change to ignore the advisory in CI is present in v2.0; it landed before we cut the branch: Technically, master is currently building against a version of ed25519-dalek that does NOT have the commits to address the security advisory. That is, master is built against this branch: Lines 533 to 535 in b97fa99 which corresponds to this branch: https://github.com/anza-xyz/curve25519-dalek/tree/3.2.1-unpin-zeroize This PR branch is proposing to build v1.18 against this The branch here cherry-picked two additional commits, the commits that address the security advisory that we're ignoring |
|
Approved for merging over red CI. It's just the downstream projects check that's failing. See #1960 and #releng discussion for context |
Problem
RUSTSEC-2024-0344 was announced so update to a branch that contains the commits that were created in response to the advisory.
We must do this manually as the v1.18 branch is built against curve25519-dalek 3.2.1; this is not the latest major release and the maintainers have chosen not to push changes to their older release branches
Summary of Changes
Update to a branch that contains the zeroize commit, as well as the new security advisory commits