New major versions?

[tarcieri]

Sometime in the next few months we'll be releasing new versions of the @RustCrypto crates.

I would like to get a vibe check on how people would feel about not bumping the major versions of the dalek crates (curve25519-dalek, ed25519-dalek, x25519-dalek) as part of this release.

Major version bumps are hard. This crate is often exposed in public APIs. For example it took Solana well over a year to update. Even now about 20% of downloads are for obsolete versions.

There isn't an explicit need to bump major versions: the existing SemVer policy allows for such upgrades along minor version boundaries. However, not everyone may have read about that or how to pin versions correctly and will open angry issues when cargo update fails to work.

Note the @RustCrypto crates will also carry a 2024 edition bump, which exacerbates the problems with an unhelpful error message when using Rust versions older than 1.85.

A major version bump might make this whole upgrade process smoother by avoiding breaking changes to the @RustCrypto crates. It would also provide an opportunity to remove previously deprecated APIs and make other breaking changes. See also: #476

I'm asking mainly because ed25519-dalek is one of the most notable consumers of the signature crate aside from the @RustCrypto crates and there are some potential unrelated breaking changes it would be nice to make there, but doing those would require a major version bump of ed25519-dalek at the very least. If we-as-dalek decide that bumping major version is unwarranted or too much of a hassle, we can similarly avoid a breaking release of the signature crate.

[rozbb]

I'm personally fine doing a major version bump. The changes will end up being concretely small, and I think it's perfectly healthy for a project to do major version bumps periodically. Low confidence opinion though, so I'll defer to you if you feel strongly in the opposite direction.