Breaking Dependency `pem-rfc7468` for MSRV (Minimum Supported Rust Version)

[noahcoetsee]

Hey guys!

Just wondering, it appears the pkcs8 dependency of this package is importing another dependency (pem-rfc7468) that is dependent on edition="2021", breaking the MRV statement in the README.md and on crates.io. Not sure how big of an issue this is, but I know there are some projects that still use Rust 1.51 with this package that are now blocked from updating to rsa v0.5.0, which is causing some issues because rsa 0.4 still conflicts with RUSTSEC-2020-0159, causing all sorts of security audit issues, etc.

I looks like pem-rfc7468 is an optional dependency of pkcs8, but the rsa crate still depends on it.

Just wondering if this is mistake or if ya'll are moving your MSRV or if this is just a mistake?

Thanks!

[tarcieri]

There is no current release of pem-rfc7468 which uses edition = "2021". The latest release is v0.2.3 which is edition = "2018" as you can see here:

https://docs.rs/crate/pem-rfc7468/0.2.3/source/Cargo.toml

In the git repository, the edition has been bumped to 0.3.0-pre, but that has not been released yet.

I'm guessing this might be due to the base64ct crate instead of pem-rfc7468 itself, as that has been bumped to the 2021 edition and released.

If that's the source of the problem, I can cut another pem-rfc7468 release that pins the base64ct version to avoid this problem.

The best way to determine this is actually the problem is to try pinning the base64ct release yourself in Cargo.toml:

base64ct = "=1.1.1"

Note that these kinds of MSRV breakages are an ongoing pain point in Rust which will hopefully eventually be addressed by MSRV-dependent dependency resolution.

[noahcoetsee]

Oh yes, foolish me. That was the package causing the main error and I got so caught up following it up the dependency tree that I forgot to include it in the issue lol.

Pinning it has worked for me, so that does seem to be the root cause of the issue.

[tarcieri]

I released pem-rfc7468 which constrains base64ct to <1.2 to prevent this breakage:

https://github.com/RustCrypto/formats/pull/193/files

Let me know if that fixes the issue.

[noahcoetsee]

Works like a charm, thanks!