On Fri, Jan 16, 2026 at 7:19 AM Rodolfo Olivieri <rolivier@redhat.com> wrote:

Hi, folks!

Looking at the dependency tree of Goose, I saw that they were pulling a package that was not needed for their application, thus, pulling tiny-keccak as part of it. I just disabled the default-features for that single dependency and now tiny-keccak is not present anymore 🎉

Still, regarding constant_time_eq, if my understanding is correct, since it's multi-licensed we are fine in this case?

Yes, just make sure to omit CC0-1.0 as a choice for code. If non-code stuff is CC0, then the license is still valid and must be identified.

I do recommend that you package the dependencies individually though, otherwise it's going to be messy when it comes to auditing, fixing, and upgrading dependencies.

真実はいつも一つ！/ Always, there's only one truth!