Updating ring's major version is a breaking change (in each project affected), so it cannot happen until at least cookie 0.12 and Rocket 0.5. It would be annoying to do that version bump solely because of ring's version, but it might be necessary if all of 0.13 does get yanked.

In the meantime, is there an older version of tokio-rustls that you can depend on that uses ring 0.13? If not, I think you would have to fork and/or patch some dependencies as long as the versions are not compatible.

I typed out the above without realizing your comment about git. Yes, it should be "safe" to do this in the master branches of these repositories.

For the time being I'm using the git version of cookie, however I had to drop TLS support from Rocket for now because it's quite broken with the latest ring & rustls.

I don't personally have time to maintain cookie any more, but if others would like to maintain it I can transfer it!

I don't personally have time to maintain cookie any more, but if others would like to maintain it I can transfer it!

I'd be happy to do it :) Just hook me up with the creds.

986 has been merged - closing.

I don't think the version-dumping solution(with the latest version of Rocket on master branch) can satisfy all requirement, while I'm using a more updated version of ring 0.16:

error: failed to select a version for `ring`.
    ... required by package `tls_sig_api v0.1.1-rc.1`
    ... which is depended on by `yukiri-im-backend v0.1.0 (C:\Users\34937\Documents\yukiri-im-backend)`
versions that meet the requirements `^0.16` are: 0.16.9, 0.16.7, 0.16.6, 0.16.5, 0.16.4, 0.16.3, 0.16.2, 0.16.1, 0.16.0

the package `ring` links to the native library `ring-asm`, but it conflicts with a previous package which links to `ring-asm` as well:
package `ring v0.14.0`
    ... which is depended on by `cookie v0.12.0`
    ... which is depended on by `rocket_http v0.5.0-dev (https://github.com/SergioBenitez/Rocket/#22442313)`
    ... which is depended on by `rocket v0.5.0-dev (https://github.com/SergioBenitez/Rocket/#22442313)`
    ... which is depended on by `yukiri-im-backend v0.1.0 (C:\Users\34937\Documents\yukiri-im-backend)`

failed to select a version for `ring` which could resolve this conflict

I will try to down my depended ring version to see if I could get my lib adapted to the newest rocket, but now that 0.16 is a break change of 0.14, I hold negative opinions.

This issue was originally about bumping to 0.14, which has been done. Bumping again to 0.16 would require a new release of hyper-sync-rustls, or it will happen when the async branch is merged into master.

Bumping again to 0.16 would require a new release of hyper-sync-rustls, or it will happen when the async branch is merged into master.

Waiting for this may be too long for me. I notice that in current sense, I don't need the cookie feature, can I banned out this feature?

I don't need the cookie feature, can I banned out this feature?

Yes, default-features = false on rocket in your Cargo.toml will disable the private cookies feature and the dependency on ring.

Yes, default-features = false on rocket in your Cargo.toml will disable the private cookies feature and the dependency on ring.

Thanks! I finally walk around this by replacing my ring usage with RustCrypto‘s HMAC lib, after which I found your comment. But thanks again