Please publish a patch release of zeroize_derive 1.1 that fixes #876 but keeps the MSRV constant #880

teythoon · 2021-10-07T10:10:28Z

In the process of addressing #876 all versions of zeroize_derive prior to 1.2 were yanked. Going from 1.1 to 1.2 raises the MSRV from 1.47 to 1.51. This puts projects that -for whatever reason- cannot or prefer not to raise their MSRV into a difficult position:

Continuing to use zeroize_derive 1.1 means using an insecure version of zeroize_derive.
Continuing to use zeroize_derive 1.1 means not being able to make releases of binary crates (as I understand crate.io's yank semantics).
Raising their MSRV to be able to use zeroize_derive 1.2 makes their project unsuitable for their target audience.

It would be great if you could publish a version 1.1.1 of zeroize_derive that fixes the security problem while keeping the MSRV constant.

tony-iqlusion · 2021-10-07T18:40:47Z

I can try to backport this to an MSRV compatible release when I have some time

teythoon · 2021-10-11T09:10:30Z

Thanks!

daviddrysdale mentioned this issue Oct 8, 2021

Update zeroize_derive dependency project-oak/tink-rust#202

Closed

tony-iqlusion mentioned this issue Oct 9, 2021

zeroize_derive v1.1.1 #881

Merged

tony-iqlusion closed this as completed in #881 Oct 9, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Please publish a patch release of zeroize_derive 1.1 that fixes #876 but keeps the MSRV constant #880

Please publish a patch release of zeroize_derive 1.1 that fixes #876 but keeps the MSRV constant #880

teythoon commented Oct 7, 2021

tony-iqlusion commented Oct 7, 2021

teythoon commented Oct 11, 2021

Please publish a patch release of zeroize_derive 1.1 that fixes #876 but keeps the MSRV constant #880

Please publish a patch release of zeroize_derive 1.1 that fixes #876 but keeps the MSRV constant #880

Comments

teythoon commented Oct 7, 2021

tony-iqlusion commented Oct 7, 2021

teythoon commented Oct 11, 2021