Test with minimal dependency versions

[tcharding]

This is work originally done by Kixunil in #1272, I picked it up to help out. The only changes I made were rebasingg, updating the recent lock file, adding --locked to hashes contrib file, and adding a co-developed-by tag for accountability.

It could happen that we unknowingly depend on a new version of a crate without updating Cargo.toml. This could cause resolution issues for downstream users. It's also unclear for outsiders to know with which dependencies did we test the crate.

This change commits two lock files: minimal and recent. minimal contains minimal dependency versions, while recent contains dependency versions at the time of making the change.

Further, this adds CI jobs to test with both lock files, CI job for internals crate, removes old serde pinning and prints a warning if recent is no longer up to date. (We may have to override it somehow if any crate breaks MSRV.)

The documentation is also updated accordingly.

Closes #1230

[apoelstra]

ACK 5a6332d5dfd4733dd0390e26de88d81c69772e99

[apoelstra]

In my local scripts, I have a comment that says "no-std does not work on 1.48" and I test with 1.50 instead. @tcharding that may be what you need to do here.

[tcharding]

I don't understand why this is showing up in this PR? If we cannot build "no-std" with 1.48 why is CI ok for current master?

[Kixunil]

I think this is caused by old core2? We should probably bump its version. (IDK to which number)

[apoelstra]

Neat. Apparently core2 0.3.2 works. I guess we need to set our minimal version to that.

[tcharding]

Changes in force push

• Added a patch to the front of the PR to set core2 dependency to 0.3.2
• Updated the Cargo-minimal.lock file after building with the new core2 dependency

[tcharding]

This is blocking hex crate work.

[apoelstra]

ACK c129eb6d0016ddf110c9ed72300eee53a7ca769d

[stevenroose]

I haven't followed the details of this MR, but would it be hard to have support for this in the github CI matrix thing? So specify different versions to test for certain deps and then use update --precise for those in the CI script?

I'm asking because in dependent crates it'd be nice to have easy access to ways to support multiple rust-bitcoin versions as well.

Ofc this would be a great tool for the rust ecosystem as a whole, but as we know I don't think many other projects care enough about msrv and dep mgmt that this kind of thing would already exist in the CI tooling.

[stevenroose]

Is this like a format that GitHub CI will pick up and somehow make visible?

[tcharding]

This is some github syntax that gives color in their logs, @Kixunil found it but I didn't look up the docs when he told me about it.

[Kixunil]

IIRC it's visible when you open the lock file from the PR. It was long time since I looked into it.

[stevenroose]

utACK e6dc6f48da7e79a3c2a188ad69ef8a9d8d799ad7

[apoelstra]

Would like an ack from @Kixunil as well since this is based on his work.

@stevenroose yeah, I think this would be generally useful. This PR does introduce CI support for this (in contrib/test.sh) though in a little bit of a hacky way. I think we should merge this and then see what kind of problems we run into before cleaning it up and maybe trying to do a more general thing. I am curious what kind of support you'd like for downstream crates....I guess, ideally your downstream projects could "merge" these lockfiles from rust-bitcoin into their own. I'm not sure if there's any tool that can do that.

[apoelstra]

Needs rebase after #1732 since the included lockfiles now need to include honggfuzz.

BTW in #1732 I set the wrong honggfuzz version. It is at 0.5 but it needs to be 0.5.55 (or possibly lower....but certainly 0.5.0 is too low).

[Kixunil]

Looks reasonable, will wait until rebase with proper review. Unfortunately despite having more time I find it harder to get myself into reviewing large PRs. (Yes Tobin, it could be WOE-related, still debugging.)

[Kixunil]

IIRC it's visible when you open the lock file from the PR. It was long time since I looked into it.

[tcharding]

(Yes Tobin, it could be WOE-related, still debugging.)

What does WOE mean, Way Of Eating?

[tcharding]

I couldn't get a minimal honggfuzz dep because where ever I put --locked running ./fuzz.sh still updated the lock file. Does the Cargo-minimal.lock file have to commit to a minimal dependency version for honggfuzz?

[Kixunil]

Does the Cargo-minimal.lock file have to commit to a minimal dependency version for honggfuzz?

Probably, but I'm not sure if we need to test with minimal dev dependencies.

[apoelstra]

@tcharding I have had no problem with a minimal version of 0.5.55.

[apoelstra]

Note that #1821 actually changes fuzz/Cargo.toml to have the correct minimal honggfuzz reason. So I think it's fine that this PR merely includes it in the Cargo.lock.

[tcharding]

Note that #1821 actually changes fuzz/Cargo.toml to have the correct minimal honggfuzz reason. So I think it's fine that this PR merely includes it in the Cargo.lock.

Yep, sweet. I think you are right, we can merge these in any order.

[Kixunil]

Looks like there's a bug, the rest should be fine.

[Kixunil]

$deps is not defined.

[tcharding]

face palm, thanks man. I added DEPS="recent minimal", and put quotes around $dep everywhere as suggested by shellcheck.

[apoelstra]

ACK c4c64c0

[Kixunil]

ACK c4c64c0