Retro compatible for p256 0.10.0

[rodoufu]

Motivation and Context

Keeping it retro compatible with solana-sdk 1.16

Description

Updating p256 version from 0.11 to 0.10 will still allow version 0.11 but will include 0.10 which is necessary when building something that includes solana-sdk version 1.16.

• solana-sdk https://crates.io/crates/solana-sdk/1.16.27/dependencies
  • curve25519-dalek https://crates.io/crates/curve25519-dalek/3.2.1/dependencies
    • zeroize >=1, <1.4
• p256 https://crates.io/crates/p256/0.10.1/dependencies
  • elliptic-curve https://crates.io/crates/elliptic-curve/0.11.12/dependencies
    • zeroize ^1

p256 0.11 has another version of zeroize which is incompatible

• p256 https://crates.io/crates/p256/0.11.0/dependencies
  • elliptic-curve https://crates.io/crates/elliptic-curve/0.12.3/dependencies
    • zeroize ^1.5

How to reproduce the issue.

Create a project with this Cargo.toml:

[package]
name = "test_aws"
version = "0.1.0"
edition = "2021"

[dependencies]
solana-sdk = "1.16.27"
aws-sigv4 = { version = "1.2.1", features = ["sigv4a"] }

Then run this:

cargo test --all-features
    Updating crates.io index
error: failed to select a version for `zeroize`.
    ... required by package `curve25519-dalek v3.2.1`
    ... which satisfies dependency `curve25519-dalek = "^3.2.1"` of package `solana-program v1.16.27`
    ... which satisfies dependency `solana-program = "=1.16.27"` of package `solana-sdk v1.16.27`
    ... which satisfies dependency `solana-sdk = "^1.16.27"` of package `test_aws v0.1.0 (/Users/rodolfo-araujo/git/test_aws)`
versions that meet the requirements `>=1, <1.4` are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.5.3`
    ... which satisfies dependency `zeroize = "^1"` of package `aws-sigv4 v1.2.1`
    ... which satisfies dependency `aws-sigv4 = "^1.2.1"` of package `test_aws v0.1.0 (/Users/rodolfo-araujo/git/test_aws)`

failed to select a version for `zeroize` which could resolve this conflic

[jdisanti]

Hello. Can you explain the problem some more? I don't really understand. If the conflict is between zeroize ^1 and zeroize ^1.5, it should just work. ^1 is compatible with ^1.5, so it would just choose ^1.5.

[rodoufu]

Hello. Can you explain the problem some more? I don't really understand. If the conflict is between zeroize ^1 and zeroize ^1.5, it should just work. ^1 is compatible with ^1.5, so it would just choose ^1.5.

@jdisanti I'm sorry, I had it wrong in the description the first time I sent it.
I have fixed the description.

When I created it initially I got the wrong version of curve25519-dalek, the version that cargo is resolving is actually 3.2.1 which requires zeroize >=1, <1.4 but p256 0.11 requires zeroize ^1.5, that is the conflict.

I've also added a simple example of how to reproduce it with only a simple Cargo.toml file.

[ysaito1001]

Instead of downgrading p256 used by aws-sigv4 to 0.10.0, is it possible to ask the maintainers for solana-sdk to upgrade their dependency on curve25519-dalek (the latest of which, 4.1.2, does not have semver upper bound < 1.4 on zeroize)? You can then use the upgraded solana-sdk.

[rodoufu]

Instead of downgrading p256 used by aws-sigv4 to 0.10.0, is it possible to ask the maintainers for solana-sdk to upgrade their dependency on curve25519-dalek (the latest of which, 4.1.2, does not have semver upper bound < 1.4 on zeroize)? You can then use the upgraded solana-sdk.

@ysaito1001 updating curve25519-dalek to 4.1.2 breaks a lot of stuff in solana-sdk. I'm guessing that is why they are still using 3.2.1 in their latest version https://crates.io/crates/solana-sdk/1.18.11/dependencies
I've been trying to open an MR with them as well, with the smaller impact as I can.

[rodoufu]

@ysaito1001 to update solana one would also need to update its version of rand to 0.8 on jsonrpc from Parity for which I have an open PR as well paritytech/jsonrpc#688

Also, the change I added should not necessarily downgrade p256 0.11 to p256 0.10, but it will accept it when it is possible, it is just less restrictive.