Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some maintenance #371

Closed
wants to merge 4 commits into from
Closed

Some maintenance #371

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4b73b43
fix: use proc-macro-error2
vmx Sep 30, 2024
ec98f9b
chore: cleanup deny.toml
vmx Sep 30, 2024
363c2a8
fix: fix all Clippy warnings on stable Rust
vmx Sep 30, 2024
026c117
fix: update to latest strobe-rs release
vmx Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion codetable/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ digest = { version = "0.10.1", default-features = false, optional = true }
sha1 = { version = "0.10.5", default-features = false, optional = true }
sha2 = { version = "0.10.0", default-features = false, optional = true }
sha3 = { version = "0.10.0", default-features = false, optional = true }
strobe-rs = { version = "0.8.1", default-features = false, optional = true }
strobe-rs = { version = "0.10.0", default-features = false, optional = true }
ripemd = { version = "0.1.1", default-features = false, optional = true }
multihash-derive = { version = "0.9.0", path = "../derive", default-features = false }
core2 = { version = "0.4.0", default-features = false }
Expand Down
1 change: 0 additions & 1 deletion codetable/src/hasher_impl.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#[cfg(any(
feature = "strobe",
feature = "identity",
feature = "blake2b",
feature = "blake2s",
feature = "blake3"
Expand Down
54 changes: 27 additions & 27 deletions codetable/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#![cfg_attr(feature = "arb", allow(unreachable_code))] // Otherwise the "Cargo Hack" check fails since "arb" includes no hash algos by default
#![cfg_attr(docs_rs, feature(doc_cfg))]
#![cfg_attr(docsrs, feature(doc_cfg))]
#![cfg_attr(not(feature = "std"), no_std)]

//! A batteries-included code table of multihashes.
Expand All @@ -15,30 +15,30 @@ mod hasher_impl;
pub use multihash_derive::MultihashDigest;

#[cfg(feature = "blake2b")]
#[cfg_attr(docs_rs, doc(cfg(feature = "blake2b")))]
#[cfg_attr(docsrs, doc(cfg(feature = "blake2b")))]
pub use crate::hasher_impl::blake2b::{Blake2b256, Blake2b512, Blake2bHasher};
#[cfg(feature = "blake2s")]
#[cfg_attr(docs_rs, doc(cfg(feature = "blake2s")))]
#[cfg_attr(docsrs, doc(cfg(feature = "blake2s")))]
pub use crate::hasher_impl::blake2s::{Blake2s128, Blake2s256, Blake2sHasher};
#[cfg(feature = "blake3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "blake3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "blake3")))]
pub use crate::hasher_impl::blake3::{Blake3Hasher, Blake3_256};
#[cfg(feature = "ripemd")]
#[cfg_attr(docs_rs, doc(cfg(feature = "ripemd")))]
#[cfg_attr(docsrs, doc(cfg(feature = "ripemd")))]
pub use crate::hasher_impl::ripemd::{Ripemd160, Ripemd256, Ripemd320};
#[cfg(feature = "sha1")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha1")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha1")))]
pub use crate::hasher_impl::sha1::Sha1;
#[cfg(feature = "sha2")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha2")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha2")))]
pub use crate::hasher_impl::sha2::{Sha2_256, Sha2_512};
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
pub use crate::hasher_impl::sha3::{
Keccak224, Keccak256, Keccak384, Keccak512, Sha3_224, Sha3_256, Sha3_384, Sha3_512,
};
#[cfg(feature = "strobe")]
#[cfg_attr(docs_rs, doc(cfg(feature = "strobe")))]
#[cfg_attr(docsrs, doc(cfg(feature = "strobe")))]
pub use crate::hasher_impl::strobe::{Strobe256, Strobe512, StrobeHasher};

/// Default (cryptographically secure) Multihash implementation.
Expand All @@ -54,92 +54,92 @@ pub use crate::hasher_impl::strobe::{Strobe256, Strobe512, StrobeHasher};
pub enum Code {
/// SHA-256 (32-byte hash size)
#[cfg(feature = "sha2")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha2")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha2")))]
#[mh(code = 0x12, hasher = crate::Sha2_256)]
Sha2_256,
/// SHA-512 (64-byte hash size)
#[cfg(feature = "sha2")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha2")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha2")))]
#[mh(code = 0x13, hasher = crate::Sha2_512)]
Sha2_512,
/// SHA3-224 (28-byte hash size)
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
#[mh(code = 0x17, hasher = crate::Sha3_224)]
Sha3_224,
/// SHA3-256 (32-byte hash size)
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
#[mh(code = 0x16, hasher = crate::Sha3_256)]
Sha3_256,
/// SHA3-384 (48-byte hash size)
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
#[mh(code = 0x15, hasher = crate::Sha3_384)]
Sha3_384,
/// SHA3-512 (64-byte hash size)
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
#[mh(code = 0x14, hasher = crate::Sha3_512)]
Sha3_512,
/// Keccak-224 (28-byte hash size)
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
#[mh(code = 0x1a, hasher = crate::Keccak224)]
Keccak224,
/// Keccak-256 (32-byte hash size)
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
#[mh(code = 0x1b, hasher = crate::Keccak256)]
Keccak256,
/// Keccak-384 (48-byte hash size)
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
#[mh(code = 0x1c, hasher = crate::Keccak384)]
Keccak384,
/// Keccak-512 (64-byte hash size)
#[cfg(feature = "sha3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "sha3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "sha3")))]
#[mh(code = 0x1d, hasher = crate::Keccak512)]
Keccak512,
/// BLAKE2b-256 (32-byte hash size)
#[cfg(feature = "blake2b")]
#[cfg_attr(docs_rs, doc(cfg(feature = "blake2b")))]
#[cfg_attr(docsrs, doc(cfg(feature = "blake2b")))]
#[mh(code = 0xb220, hasher = crate::Blake2b256)]
Blake2b256,
/// BLAKE2b-512 (64-byte hash size)
#[cfg(feature = "blake2b")]
#[cfg_attr(docs_rs, doc(cfg(feature = "blake2b")))]
#[cfg_attr(docsrs, doc(cfg(feature = "blake2b")))]
#[mh(code = 0xb240, hasher = crate::Blake2b512)]
Blake2b512,
/// BLAKE2s-128 (16-byte hash size)
#[cfg(feature = "blake2s")]
#[cfg_attr(docs_rs, doc(cfg(feature = "blake2s")))]
#[cfg_attr(docsrs, doc(cfg(feature = "blake2s")))]
#[mh(code = 0xb250, hasher = crate::Blake2s128)]
Blake2s128,
/// BLAKE2s-256 (32-byte hash size)
#[cfg(feature = "blake2s")]
#[cfg_attr(docs_rs, doc(cfg(feature = "blake2s")))]
#[cfg_attr(docsrs, doc(cfg(feature = "blake2s")))]
#[mh(code = 0xb260, hasher = crate::Blake2s256)]
Blake2s256,
/// BLAKE3-256 (32-byte hash size)
#[cfg(feature = "blake3")]
#[cfg_attr(docs_rs, doc(cfg(feature = "blake3")))]
#[cfg_attr(docsrs, doc(cfg(feature = "blake3")))]
#[mh(code = 0x1e, hasher = crate::Blake3_256)]
Blake3_256,
/// RIPEMD-160 (20-byte hash size)
#[cfg(feature = "ripemd")]
#[cfg_attr(docs_rs, doc(cfg(feature = "ripemd")))]
#[cfg_attr(docsrs, doc(cfg(feature = "ripemd")))]
#[mh(code = 0x1053, hasher = crate::Ripemd160)]
Ripemd160,
/// RIPEMD-256 (32-byte hash size)
#[cfg(feature = "ripemd")]
#[cfg_attr(docs_rs, doc(cfg(feature = "ripemd")))]
#[cfg_attr(docsrs, doc(cfg(feature = "ripemd")))]
#[mh(code = 0x1054, hasher = crate::Ripemd256)]
Ripemd256,
/// RIPEMD-320 (40-byte hash size)
#[cfg(feature = "ripemd")]
#[cfg_attr(docs_rs, doc(cfg(feature = "ripemd")))]
#[cfg_attr(docsrs, doc(cfg(feature = "ripemd")))]
#[mh(code = 0x1055, hasher = crate::Ripemd320)]
Ripemd320,
}
Expand Down
26 changes: 3 additions & 23 deletions deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,32 +1,11 @@

[advisories]
ignore = [
# https://rustsec.org/advisories/RUSTSEC-2021-0145
# 1. On windows, `atty` dereferences a potentially unaligned pointer.
# 2. Last release of `atty` was almost 3 years ago.
"RUSTSEC-2021-0145",

# https://rustsec.org/advisories/RUSTSEC-2021-0127
# 1. serde_cbor is unmaintained
"RUSTSEC-2021-0127"
]
notice = "deny"
unmaintained = "warn"
vulnerability = "deny"
yanked = "deny"

[licenses]
allow = [
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"CC0-1.0",
"MIT",
"Unicode-DFS-2016",
]
default = "deny"
confidence-threshold = 1.0
unlicensed = "deny"

[bans]
allow = []
Expand All @@ -35,10 +14,11 @@ deny = []
# * Resolve duplicate versions of itoa (used by criterion)
# * Remove atty from criterion
# * Resolve duplicate versions of constant_time_eq (used by blake2_sid and blake3)
multiple-versions = "warn"
multiple-versions = "deny"
skip = []
skip-tree = []
wildcards = "warn"
wildcards = "deny"
allow-wildcard-paths = true

[sources]
allow-git = []
Expand Down
2 changes: 1 addition & 1 deletion derive-impl/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ proc-macro = true
[dependencies]
proc-macro2 = { version = "1.0.24", features = ["span-locations"] }
proc-macro-crate = "3.1.0"
proc-macro-error = "1.0.4"
proc-macro-error2 = "2.0.1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This crate doesn't seem too popular. What's the issue with keeping the old one?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason is https://rustsec.org/advisories/RUSTSEC-2024-0370.html. And if you run something like cargo-deny (which we do on CI), it will complain about it. And I would expect that maybe someone will complain, hence it's easier to upgrade to that one. Another point is that crates are moving on to syn v2, so you would've less duplicated deps as proc-macro-error is still using v1.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd be more concerned about using a random crate than using a so-called "unmaintained" crate, from a supply-chain perspective at least.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The supply-chain perspective is a good point. I'll update that PR when I find time.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I have to wonder if we could just vendor it)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you find it annoying, please complain to the rustsec project.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To expand on that, it's one thing if an unmaintained project has security issues piling up. But jumping to the latest hot fork is just as likely to cause problems as not. Declaring a project unmaintained without a clear replacement is literally just dangling a vulnerable part of the OSS supply chain in front of potential attackers and asking them to "jump in and take a bite".

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2024-0370.html lists 3 replacements, including proc-macro-error2 used in this PR. And it does pull outdated version of syn that is one more thing to compile for everyone downstream.

So overall I think it is fair to warn users that this crate is unmaintained and if they have any issues with it in the future, there will be no easy solution for them, which is even worse when dependency is indirect.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://rustsec.org/advisories/RUSTSEC-2024-0370.html lists 3 replacements, including proc-macro-error2 used in this PR.

I'm talking about clear replacements. In this case, both the advisory and the suggestion to use proc-macro-error2 were submitted by the author of proc-macro-error2.

The other alternatives were added later, but still aren't clear replacements.

So overall I think it is fair to warn users that this crate is unmaintained and if they have any issues with it in the future, there will be no easy solution for them, which is even worse when dependency is indirect.

RUSTSEC is a security project and treats these advisories as security advisories. Sure, I get warning about unmaintained security critical bits if there is a clear maintained replacement, but reports like this one just cause people to complain and are more likely to cause security issues than they are to resolve them.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, here's a version that simply drops the offending dependency: #372.

quote = "1.0.7"
syn = "2.0.66"
synstructure = "0.13.1"
4 changes: 1 addition & 3 deletions derive-impl/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,11 @@
//! For example, the actual trait that we are deriving `MultihashDigest`, as well as the `Hasher` trait and
//! the `UnsupportedCode` error type.

extern crate proc_macro;

mod multihash;
mod utils;

use proc_macro::TokenStream;
use proc_macro_error::proc_macro_error;
use proc_macro_error2::proc_macro_error;
use synstructure::macros::{parse, DeriveInput};
use synstructure::{MacroResult, Structure};

Expand Down
8 changes: 4 additions & 4 deletions derive-impl/src/multihash.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,14 +112,14 @@ impl<'a> From<&'a VariantInfo<'a>> for Hash {
#[cfg(test)]
panic!("{}", msg);
#[cfg(not(test))]
proc_macro_error::abort!(ident, msg);
proc_macro_error2::abort!(ident, msg);
});
let hasher = hasher.unwrap_or_else(|| {
let msg = "Missing hasher attribute: e.g. #[mh(hasher = multihash::Sha2_256)]";
#[cfg(test)]
panic!("{}", msg);
#[cfg(not(test))]
proc_macro_error::abort!(ident, msg);
proc_macro_error2::abort!(ident, msg);
});
Self {
ident,
Expand Down Expand Up @@ -156,7 +156,7 @@ fn parse_code_enum_attrs(ast: &syn::DeriveInput) -> syn::LitInt {
#[cfg(test)]
panic!("{}", msg);
#[cfg(not(test))]
proc_macro_error::abort!(&ast.ident, msg);
proc_macro_error2::abort!(&ast.ident, msg);
}
}
}
Expand Down Expand Up @@ -184,7 +184,7 @@ fn error_code_duplicates(hashes: &[Hash]) {
{
let already_defined = uniq.get(code).unwrap();
let line = already_defined.to_token_stream().span().start().line;
proc_macro_error::emit_error!(
proc_macro_error2::emit_error!(
&hash.code, msg;
note = "previous definition of `{}` at line {}", quote!(#code), line;
);
Expand Down
Loading