depends on deprecated library sodiumoxide #24
Comments
|
I think it's not deprecated in terms of DO NOT USE, but rather: it's now feature complete, no? |
|
Right, that is my understanding as well. I am no crypto expert, but seem to read between the lines, however, that what the author describes as having "vastly changed" includes maturity of implementations in native Rust, which I would expect to have both size, speed, and stability improvements. Seems the Dalek libraries (and crates based on those) are the most popular in the Rust community nowadays. |
|
The problem is that we can't only care about quality, but we also need to care about compatibility with the algorithms we use (libsodium ones). Dalek looks great though! I wonder if there's a sodium compatibility layer! |
|
Perhaps this: https://crates.io/crates/crypto_box |
|
Main questions are:
|
|
sodiumoxide is now completely archived and will thus no longer receive security fixes; it should be replaced. |
|
:| OK, I'll try to find some time to take a look, thanks! |
|
I'm looking into finally upstreaming libetebase into openSUSE, and just discovered this one again during the automated cargo audit that's run. Friendly bump 🤗 |
|
There's nothing wrong with sodiumoxide I believe, it's just "no longer developed". I don't know what it actually means in terms of security, but given that it's just a thin wrapper around libsodium, I'm not that concerned. It's going to be quite a bit of work changing to a new implementation, which I don't have time for unfortunately. Especially given the questionable benefits. |
This does not seem to be the case: This seems to mean that new API surface in libsodium will not be implemented in the crate. But security fixes that arise will be fixed accordingly on the already existing API surface. |
|
That message is from before the repo was archived. |
The sodiumoxide project is now deprecated: sodiumoxide/sodiumoxide@5bb1dfd
The text was updated successfully, but these errors were encountered: