refactor(rng): localize legacy rng line to blocked crates#260
Conversation
Summary by CodeRabbit
WalkthroughWorkspace RNG aliases upgraded to rand 0.10.0 (aliased as rand10, rand_core10, rand_chacha10); several subcrates switched from workspace-linked RNG deps to explicit pinned versions (rand_core 0.6.4, rand_chacha 0.3.1). One PGP snapshot redacts platform-dependent binary lengths. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request refactors the dependency management for legacy random number generator (RNG) crates. It shifts the declaration of older Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request refactors dependencies by moving the legacy RNG versions (rand 0.8, rand_core 0.6, rand_chacha 0.3) from the workspace-level dependencies to the specific crates that require them. The changes affect the Cargo.toml files for the root workspace and the uselesskey-ecdsa, uselesskey-pgp, uselesskey-rsa, and uselesskey-x509 crates. This change isolates legacy dependencies to a smaller set of crates. I have reviewed the changes and have no comments.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@crates/uselesskey-pgp/tests/snapshots_pgp.rs`:
- Line 115: Update the comment that currently reads "Binary lengths vary by ±1
across platforms (RSA MPI leading-zero encoding)." to a broader phrasing noting
these are full serialized OpenPGP packet lengths and can vary by ±1 due to
platform/implementation serialization differences (for example RSA MPI
leading-zero encoding, packet header or padding differences), so change the
comment in snapshots_pgp.rs accordingly to avoid implying a single specific
cause.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2b1e6aad-bb1a-4eaa-abec-a4c439927208
⛔ Files ignored due to path filters (1)
crates/uselesskey-pgp/tests/snapshots/snapshots_pgp__rsa_2048_snapshots__pgp_rsa_2048_key_metadata.snapis excluded by!**/*.snap
📒 Files selected for processing (1)
crates/uselesskey-pgp/tests/snapshots_pgp.rs
| fingerprint: key.fingerprint().to_string(), | ||
| }; | ||
|
|
||
| // Binary lengths vary by ±1 across platforms (RSA MPI leading-zero encoding). |
There was a problem hiding this comment.
Clarify the variance cause in the comment.
Line 115 is overly specific. These lengths are for full serialized OpenPGP packets, so variance isn’t necessarily only from RSA MPI leading-zero encoding. Please broaden the wording to avoid misleading future debugging.
Suggested comment-only fix
- // Binary lengths vary by ±1 across platforms (RSA MPI leading-zero encoding).
+ // Binary lengths can vary slightly across platforms due to OpenPGP serialization details
+ // (including, but not limited to, RSA MPI leading-zero handling).📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| // Binary lengths vary by ±1 across platforms (RSA MPI leading-zero encoding). | |
| // Binary lengths can vary slightly across platforms due to OpenPGP serialization details | |
| // (including, but not limited to, RSA MPI leading-zero handling). |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@crates/uselesskey-pgp/tests/snapshots_pgp.rs` at line 115, Update the comment
that currently reads "Binary lengths vary by ±1 across platforms (RSA MPI
leading-zero encoding)." to a broader phrasing noting these are full serialized
OpenPGP packet lengths and can vary by ±1 due to platform/implementation
serialization differences (for example RSA MPI leading-zero encoding, packet
header or padding differences), so change the comment in snapshots_pgp.rs
accordingly to avoid implying a single specific cause.
Summary
This localizes the legacy
rand 0.8/rand_core 0.6/rand_chacha 0.3line to the crypto-edge crates that still need it instead of keeping those dependencies at workspace scope.What changed
uselesskey-rsauselesskey-ecdsauselesskey-pgpuselesskey-x509Why
The helper/core lane has already moved off the legacy line. Keeping the old RNG trio in
[workspace.dependencies]was still shaping the whole repo around a crypto-edge constraint that only applies to a bounded set of crates.This PR does not claim full crypto-edge convergence yet. It narrows the legacy line to the crates that actually still require it and leaves the remaining upstream-constrained work explicit.
Refs #257.
Testing
cargo test -p uselesskey-integration-tests --features determinism-regression --test determinism_regressioncargo xtask gate