Skip to content

Complete crypto-edge RNG convergence #257

Description

@EffortlessSteven

Current state

0.4.0 shipped the RNG-boundary release:

  • the published API is seed-oriented instead of exposing rand / rand_core types
  • helper/core crates moved onto the newer rand line where RNG is an implementation detail
  • support cleanup landed

What did not land is full crypto-edge RNG convergence. main still carries the legacy workspace RNG line and the remaining crypto-edge crates still rely on it directly or transitively.

Owner

Target release

  • 0.5.0

Scope checkpoint

  • April 3, 2026

Definition of done

  • remove the workspace-wide legacy RNG pin or narrow it to only the exact crates that truly cannot move yet
  • eliminate direct legacy rand_core.workspace dependence from the crypto-edge crates that can move
  • make deterministic-output drift explicit with regression coverage
  • leave one clear note for any crate that is still blocked by upstream dependencies
  • revisit the Dependabot ignore rule once this lane is actually complete

Checklist

  • inventory each remaining crypto-edge crate and its blocker
  • add deterministic regression coverage for RSA / ECDSA / Ed25519 / X.509 outputs
  • move crates that can converge without changing fixture identity
  • for crates that cannot yet converge, localize the legacy RNG line to that crate instead of pinning it at workspace scope
  • update root Cargo.toml comments so they describe reality, not stale intent
  • revisit the Dependabot ignore rules once the lane is complete

Acceptable outcomes

A. True convergence now

Move the remaining crypto-edge crates off the legacy line.

B. Isolate the old line properly

If upstream crates still force the old line, stop pinning it at workspace scope and localize it to the unavoidable crates only.

Implementation order

  1. guardrails first: deterministic snapshots, roundtrip checks, and cross-crate regression harnesses where output drift would matter
  2. inventory / blocker pass for RSA / ECDSA / Ed25519 / PGP / X.509
  3. bounded convergence PR stack grouped by dependency coupling
  4. root workspace cleanup only after the crate moves are real
  5. reduce or remove the Dependabot ignore rule once the lane is actually complete

Risks

  • deterministic output drift for fixtures and snapshots
  • larger cross-crate review and test surface
  • adapter behavior differences across downstream crypto stacks
  • release noise if public claims get ahead of actual convergence

Non-goals

  • no general cleanup sweep
  • no docs churn
  • no release-prep mixed into engineering
  • no opportunistic dependency churn
  • no retroactive widening of the 0.4.x release story

Verification bar

  • cargo xtask gate for the engineering stack
  • targeted deterministic and regression checks for any crypto-edge crate that moves
  • cargo xtask gate, cargo xtask publish-preflight, and cargo xtask publish-check during 0.5.0 release prep

Notes

The inventory comment on this issue should stay current with the exact remaining legacy-island crates and their blocker edges.

Metadata

Metadata

Labels

dependenciesDependency updates and security follow-upenhancementNew feature or requestrustPull requests that update rust code

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions