zeroize: Apply zeroize patch to all repository crates.

[ilya-bobyr]

Similar to the changes in the main workspace Cargo.toml, we want to
remove constraints for zeroize in the programs/sbf and other
workspace crates.

See

commit a099c7a
Author: Illia Bobyr [email protected]
Date: Mon Oct 23 12:19:59 2023 -0700

zeroize: Allow versions newer than 1.3 for curve25519-dalek (#33516)

and

commit 01f1bf2
Author: Illia Bobyr [email protected]
Date: Fri Oct 20 18:20:51 2023 -0700

zeroize: Allow versions newer than 1.3 for aes-gcm-siv (#33618)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.9%. Comparing base (9ffbe2a) to head (50c886a).
Report is 855 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #33853   +/-   ##
=======================================
  Coverage    81.9%    81.9%           
=======================================
  Files         809      809           
  Lines      217717   217717           
=======================================
+ Hits       178345   178379   +34     
+ Misses      39372    39338   -34     

[ilya-bobyr]

Applying this PR makes the CI green for the whole repo, not just the main workspace: https://buildkite.com/solana-labs/solana/builds/103656.
So, hopefully, it will make it possible to have green CI when we include a newer version of zeroize in the k8s client repo.

[tareknaser]

Hello @ilya-bobyr ,

Currently, I'm working with a crate that demands curve25519-dalek version greater than 4, and due to the existing dependency issue, it's impossible to use this crate alongside Solana crates.
This related issue (see #26688) shows that others have faced the same problem.
The changes proposed in this PR are a much-needed solution to enable the use of both crates simultaneously.

Can you please share if there are plans to merge it in the near future?

Thank you!

[ilya-bobyr]

Hello @ilya-bobyr ,

Currently, I'm working with a crate that demands curve25519-dalek version greater than 4, and due to the existing dependency issue, it's impossible to use this crate alongside Solana crates. This related issue (see #26688) shows that others have faced the same problem. The changes proposed in this PR are a much-needed solution to enable the use of both crates simultaneously.

Can you please share if there are plans to merge it in the near future?

Thank you!

I think I will merge this PR in the next couple of days.
Does it allow you to build your crate, one of the solana crates and curve25519-dalek version 4 all together?

Long term, it solana should certainly upgrade to a newer version of both curve25519-dalek and aes-gcm-siv. And remove these patches.

[tareknaser]

This PR indeed resolves the zeroize pinning issue.
However, it's worth mentioning that the patch for aes-gcm-siv still introduces a constraint on the subtle crate, limiting it to (>=2, <2.5).
In my situation, this constraint still presents some difficulties.
I'd suggest this patch instead:

[patch.crates-io.aes-gcm-siv]
git = "https://github.com/RustCrypto/AEADs"
rev = "e1e35e0c4f4943da0a99ceb8477c421dcfae2c33"

[gregcusack]

Looks like there is a newer commit that removes the upper bound in the issue raised and discussed here. The updated commit here. I know the compatibility issue was around needing >1.4 and this commit removes the <1.5. But may be worth keeping if versioning requirements change in the future.

[palinko91]

I've tried this patch and solved my zeroize conflicts. Thank you for the solution.

[ronanyeah]

@gregcusack @joncinque Should this be re-opened? These dependencies have been causing problems in Rust projects for a long time now. #26688

[ilya-bobyr]

Sorry, I dropped the ball on this.
Got distracted with other work.
Need to look into the proposed newer versions, to see if it is safe to use them.

[willhickey]

This repository is no longer in use. Please re-open this pull request in the agave repo: https://github.com/anza-xyz/agave