Skip to content

refactor(rng): localize legacy rng line to blocked crates#260

Merged
EffortlessSteven merged 2 commits into
mainfrom
rng-localize-legacy-line
Mar 15, 2026
Merged

refactor(rng): localize legacy rng line to blocked crates#260
EffortlessSteven merged 2 commits into
mainfrom
rng-localize-legacy-line

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

This localizes the legacy rand 0.8 / rand_core 0.6 / rand_chacha 0.3 line to the crypto-edge crates that still need it instead of keeping those dependencies at workspace scope.

What changed

  • removed the legacy RNG trio from the root workspace dependency table
  • added direct legacy RNG dependencies to:
    • uselesskey-rsa
    • uselesskey-ecdsa
    • uselesskey-pgp
    • uselesskey-x509
  • updated the root manifest comment to describe the remaining transitive legacy edge accurately

Why

The helper/core lane has already moved off the legacy line. Keeping the old RNG trio in [workspace.dependencies] was still shaping the whole repo around a crypto-edge constraint that only applies to a bounded set of crates.

This PR does not claim full crypto-edge convergence yet. It narrows the legacy line to the crates that actually still require it and leaves the remaining upstream-constrained work explicit.

Refs #257.

Testing

  • cargo test -p uselesskey-integration-tests --features determinism-regression --test determinism_regression
  • cargo xtask gate

@coderabbitai

coderabbitai Bot commented Mar 14, 2026

Copy link
Copy Markdown

Summary by CodeRabbit

  • Chores

    • Updated random number generation dependencies across the workspace and individual crates to a newer, consistent configuration.
  • Tests

    • Made two RSA-related binary length fields treatable as platform-dependent in PGP snapshot tests to avoid flaky platform-specific failures.

Walkthrough

Workspace RNG aliases upgraded to rand 0.10.0 (aliased as rand10, rand_core10, rand_chacha10); several subcrates switched from workspace-linked RNG deps to explicit pinned versions (rand_core 0.6.4, rand_chacha 0.3.1). One PGP snapshot redacts platform-dependent binary lengths.

Changes

Cohort / File(s) Summary
Workspace manifest
Cargo.toml
Removed legacy workspace RNG entries (rand = "0.8.5", rand_core = { version = "0.6.4", ... }, rand_chacha = { version = "0.3.1", ... }) and added aliased RNG dependencies at 0.10.0: rand10, rand_core10, rand_chacha10 (all with default-features = false).
Subcrate Cargo.tomls
crates/uselesskey-ecdsa/Cargo.toml, crates/uselesskey-pgp/Cargo.toml, crates/uselesskey-rsa/Cargo.toml, crates/uselesskey-x509/Cargo.toml
Replaced workspace = true references for rand_chacha and rand_core with explicit versioned dependencies pinned to rand_chacha = { version = "0.3.1", default-features = false } and rand_core = { version = "0.6.4", default-features = false }.
Test snapshot update
crates/uselesskey-pgp/tests/snapshots_pgp.rs
In RSA-2048 PGP snapshot, marked .private_binary_len and .public_binary_len as PLATFORM_DEPENDENT (redacted) with comment about ±1 platform variance in MPI leading-zero encoding.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Poem

🐰 I hopped through Cargo, sniffed each crate,

Aliased rand to something great,
Subcrates now pin versions neat,
Snapshots hide what platforms meet,
Hooray — a tiny, tidy feat! 🥕

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'refactor(rng): localize legacy rng line to blocked crates' accurately summarizes the main change: moving legacy RNG dependencies from workspace scope to specific crates that need them.
Description check ✅ Passed The description is clearly related to the changeset, explaining what changed (localization of legacy RNG dependencies), why it was done (narrowing constraints), and testing performed.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch rng-localize-legacy-line
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the dependency management for legacy random number generator (RNG) crates. It shifts the declaration of older rand ecosystem dependencies from a global workspace scope to direct dependencies within the specific crypto-edge crates that still require them. This change aims to improve clarity and reduce the overall impact of these legacy dependencies across the repository, ensuring that only necessary components are constrained by older versions.

Highlights

  • Dependency Refactoring: Removed workspace-level legacy rand (0.8), rand_core (0.6), and rand_chacha (0.3) dependencies from the root Cargo.toml.
  • Localized Dependencies: Added direct dependencies for rand_chacha (0.3.1) and rand_core (0.6.4) to uselesskey-ecdsa, uselesskey-pgp, uselesskey-rsa, and uselesskey-x509 crates, localizing the legacy RNG line.
  • Documentation Update: Updated a comment in the root Cargo.toml to clarify the transitive nature of legacy rand_core for stable crypto-edge dependencies.
Changelog
  • Cargo.toml
    • Removed rand, rand_core, and rand_chacha (legacy versions) from workspace dependencies.
    • Updated a comment block related to RSA dependencies to reflect the localized legacy RNG dependencies.
  • crates/uselesskey-ecdsa/Cargo.toml
    • Replaced rand_chacha.workspace = true with a direct rand_chacha dependency (version 0.3.1).
    • Replaced rand_core.workspace = true with a direct rand_core dependency (version 0.6.4).
  • crates/uselesskey-pgp/Cargo.toml
    • Replaced rand_chacha.workspace = true with a direct rand_chacha dependency (version 0.3.1).
    • Replaced rand_core.workspace = true with a direct rand_core dependency (version 0.6.4).
  • crates/uselesskey-rsa/Cargo.toml
    • Replaced rand_chacha.workspace = true with a direct rand_chacha dependency (version 0.3.1).
    • Replaced rand_core.workspace = true with a direct rand_core dependency (version 0.6.4).
  • crates/uselesskey-x509/Cargo.toml
    • Replaced rand_chacha.workspace = true with a direct rand_chacha dependency (version 0.3.1).
    • Replaced rand_core.workspace = true with a direct rand_core dependency (version 0.6.4).
Activity
  • No specific activity has been recorded for this pull request yet.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors dependencies by moving the legacy RNG versions (rand 0.8, rand_core 0.6, rand_chacha 0.3) from the workspace-level dependencies to the specific crates that require them. The changes affect the Cargo.toml files for the root workspace and the uselesskey-ecdsa, uselesskey-pgp, uselesskey-rsa, and uselesskey-x509 crates. This change isolates legacy dependencies to a smaller set of crates. I have reviewed the changes and have no comments.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/uselesskey-pgp/tests/snapshots_pgp.rs`:
- Line 115: Update the comment that currently reads "Binary lengths vary by ±1
across platforms (RSA MPI leading-zero encoding)." to a broader phrasing noting
these are full serialized OpenPGP packet lengths and can vary by ±1 due to
platform/implementation serialization differences (for example RSA MPI
leading-zero encoding, packet header or padding differences), so change the
comment in snapshots_pgp.rs accordingly to avoid implying a single specific
cause.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2b1e6aad-bb1a-4eaa-abec-a4c439927208

📥 Commits

Reviewing files that changed from the base of the PR and between 3e3d424 and f1679e6.

⛔ Files ignored due to path filters (1)
  • crates/uselesskey-pgp/tests/snapshots/snapshots_pgp__rsa_2048_snapshots__pgp_rsa_2048_key_metadata.snap is excluded by !**/*.snap
📒 Files selected for processing (1)
  • crates/uselesskey-pgp/tests/snapshots_pgp.rs

fingerprint: key.fingerprint().to_string(),
};

// Binary lengths vary by ±1 across platforms (RSA MPI leading-zero encoding).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Clarify the variance cause in the comment.

Line 115 is overly specific. These lengths are for full serialized OpenPGP packets, so variance isn’t necessarily only from RSA MPI leading-zero encoding. Please broaden the wording to avoid misleading future debugging.

Suggested comment-only fix
-        // Binary lengths vary by ±1 across platforms (RSA MPI leading-zero encoding).
+        // Binary lengths can vary slightly across platforms due to OpenPGP serialization details
+        // (including, but not limited to, RSA MPI leading-zero handling).
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// Binary lengths vary by ±1 across platforms (RSA MPI leading-zero encoding).
// Binary lengths can vary slightly across platforms due to OpenPGP serialization details
// (including, but not limited to, RSA MPI leading-zero handling).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@crates/uselesskey-pgp/tests/snapshots_pgp.rs` at line 115, Update the comment
that currently reads "Binary lengths vary by ±1 across platforms (RSA MPI
leading-zero encoding)." to a broader phrasing noting these are full serialized
OpenPGP packet lengths and can vary by ±1 due to platform/implementation
serialization differences (for example RSA MPI leading-zero encoding, packet
header or padding differences), so change the comment in snapshots_pgp.rs
accordingly to avoid implying a single specific cause.

@EffortlessSteven EffortlessSteven merged commit cc15c6a into main Mar 15, 2026
4 checks passed
@EffortlessSteven EffortlessSteven deleted the rng-localize-legacy-line branch March 15, 2026 03:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant