From 9cbaac582f958f3538362892b9d01b2cfcff9da5 Mon Sep 17 00:00:00 2001
From: pinkforest <36498018+pinkforest@users.noreply.github.com>
Date: Tue, 13 Sep 2022 18:57:53 +1000
Subject: [PATCH] meta: relax crypto dependency's semver

Pinning crypto libraries in this library makes it hard to manage
dependencies in the binary consumer side that relies on this lib.

For these reasons it is recommended in Rust idiomatic way to manage
the dependency bumps via Cargo.lock in the binary side instead as part
of regular maintenance chores.

This change both bumps up the crypto to now required mininum versions
and makes it flexible to bump up the crypto via binaries that uses
the lock file to manage dependency version bumps.

Signed-off-by: pinkforest <36498018+pinkforest@users.noreply.github.com>
---
 Cargo.toml    | 12 +++++-------
 deny.toml     |  4 ----
 src/crypto.rs |  5 +----
 3 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 81a7d3e..e8fb74e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -27,22 +27,20 @@ thiserror = "1.0"
 
 # CRYPTO
 #
-# NOTE: by policy, we pin non-dev cryptographic libraries to their exact
-# versions, requiring explicit maintainer action to apply upgrades. The
-# `deny.toml` is set up such that unintended upgrades are (hopefully) rejected.
+# The binary consumer dictates these versions via .lock
+# The .lock is used to screen the crypto dependency minor/patch bumps
 #
 [dependencies.chacha20poly1305]
-version = "=0.9.0"
+version = "^0.10.1"
 default-features = false
 features = ["alloc"]
 
 [dependencies.ed25519-zebra]
-version = "=3.0.0"
+version = "^3.0.0"
 
 [dependencies.scrypt]
-version = "=0.8.0"
+version = "^0.10.0"
 default-features = false
-# END CRYPTO
 
 [dev-dependencies]
 tokio = { version = ">= 1.8.4", features = ["macros", "rt"] }
diff --git a/deny.toml b/deny.toml
index 493aad2..e4dc7db 100644
--- a/deny.toml
+++ b/deny.toml
@@ -165,10 +165,6 @@ deny = [
     # Each entry the name of a crate and a version range. If version is
     # not specified, all versions will be matched.
     #{ name = "ansi_term", version = "=0.11.0" },
-    { name = "chacha20poly1305", version = "> 0.9.0" },
-    { name = "ed25519-zebra", version = "> 3.0.0" },
-    { name = "curve25519-dalek", version = "> 3.2.0" },
-    { name = "scrypt", version = "> 0.8.0" },
 ]
 # Certain crates/versions that will be skipped when doing duplicate detection.
 skip = [
diff --git a/src/crypto.rs b/src/crypto.rs
index 6d791e9..8dfa830 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -15,10 +15,7 @@
 // You should have received a copy of the GNU General Public License
 // along with this program. If not, see <https://www.gnu.org/licenses/>.
 
-use chacha20poly1305::{
-    aead,
-    aead::{Aead, NewAead},
-};
+use chacha20poly1305::{aead, aead::Aead, KeyInit};
 use generic_array::GenericArray;
 use secstr::{SecStr, SecUtf8};
 use serde::{Deserialize, Serialize};