Bump rand_core dependency to 0.9.3 #11
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
For details on the rand_core update in curve25519-dalek, please see dalek-cryptography/curve25519-dalek#729 |
|
@str4d any chance you could give this a look? This is similar to zkcrypto/ff#122 and zkcrypto/group#56. This could use a new minor release once merged. Thanks a lot! |
|
It looks like @hdevalence and @alinush are the ones with publish access to the |
tarcieri
added a commit
to dalek-cryptography/curve25519-dalek
that referenced
this pull request
Jun 20, 2025
`merlin` is currently a blocker for upgrading to `rand_core` v0.9 by way of the `transcript.build_rng().finalize()` function (which we only pass `ZeroRng` to). There is an open PR to update `rand_core` in `merlin` and I have pinged the relevant people to take a look, hopefully: zkcrypto/merlin#11 However, in the event we can't get `merlin` updated, this at least unblocks the `rand_core` upgrade, and is being opened as a contingency plan for that case. The PR has been implemented in a way that it should be easy to switch back to upstream `merlin` in the event they upgrade `rand_core`.
tarcieri
added a commit
to dalek-cryptography/curve25519-dalek
that referenced
this pull request
Jun 20, 2025
`merlin` is currently a blocker for upgrading to `rand_core` v0.9 by way of the `transcript.build_rng().finalize()` function (which we only pass `ZeroRng` to). There is an open PR to update `rand_core` in `merlin` and I have pinged the relevant people to take a look, hopefully: zkcrypto/merlin#11 However, in the event we can't get `merlin` updated, this at least unblocks the `rand_core` upgrade, and is being opened as a contingency plan for that case. The PR has been implemented in a way that it should be easy to switch back to upstream `merlin` in the event they upgrade `rand_core`.
rozbb
pushed a commit
to dalek-cryptography/curve25519-dalek
that referenced
this pull request
Jun 20, 2025
`merlin` is currently a blocker for upgrading to `rand_core` v0.9 by way of the `transcript.build_rng().finalize()` function (which we only pass `ZeroRng` to). There is an open PR to update `rand_core` in `merlin` and I have pinged the relevant people to take a look, hopefully: zkcrypto/merlin#11 However, in the event we can't get `merlin` updated, this at least unblocks the `rand_core` upgrade, and is being opened as a contingency plan for that case. The PR has been implemented in a way that it should be easy to switch back to upstream `merlin` in the event they upgrade `rand_core`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The reason I would like to make this change is to enable the upgrade to rand_core 0.9.x in the upstream curve25519-dalek repo which in turn would enable the upgrade to other parts of the RustCrypto set of crates.
The change is quite substantial, as can be seen here: nresare/curve25519-dalek@2228215 so it would seem to me that making that change to the forked curve25519-dalek-ng would be quite the effort, which makes me think that it would make sense to switch back to the upstream curve25519-dalek and do a coordinated release of both packages.