-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Commit "minimal" and "latest" lockfiles #591
Commit "minimal" and "latest" lockfiles #591
Conversation
The `cbor` crate has been unmaintained for several years, and depends on the ancient `rustc_serialize` crate which (a) doesn't build on WASM, and (b) doesn't build when we use a minimal-dep Cargo.lock. (The latter is because cbor specifies rustc_serialize 0.3.0 when it should specify 0.3.1, but there is nothing we can do to fix that when cbor is unmaintained.) This changes a hardcoded value in a regression test, but it's because we're replacing the serialization engine rather than changing our code, so this is not actually a change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK 1b12cc5
The idea is then that we would each publish crev reviews for all the crates (and versions) in both lock files, right? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK 1b12cc5
Didn't verify the lock files.
// Secret key is 32 bytes. CBOR adds a byte of metadata for 20 of these bytes, | ||
// (Apparently, any byte whose value is <24 gets an extra byte.) | ||
// It also adds a 1-byte length prefix and a byte of metadata for the whole vector. | ||
assert_eq!(e.len(), 54); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's really weird that different engines encode it differently but I don't care much; it's not our fault.
Great, thanks both of you! We need a rust-secp maintainer to ACK before I can merge but it sounds like we're agreed on strategy here. |
This is only needed for the serde test, so don't bother putting it in the README. Downstream users won't encounter this dependency and don't need to care about it.
@elichai @sanket1729 @jonasnick could one of you take a look and ACK this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK bd9d3c9. Verified the lockfiles. The latest one has a couple lines diff, but that is expected :) . minimal one is the same
This is a proposed strategy for maintaining tested lockfiles in the rust-bitcoin ecosystem. The idea is that we would have both a "minimal" and a "latest" lockfile, and in both cases we have trusted crev reviews for all dependencies (this is not implemented here, I'd like to start by committing the lockfiles so we can agree what to review).
Periodically we can update the "latest" one to reflect new versions of deps that we've gotten around to reviewing.
I have local nix build scripts that are able to test every commit of proposed PRs against both lockfiles. In CI it is probably reasonable to at least do
cargo test --locked --all-features
with both of them, to make sure that the tests at least pass on each PR with them.Thoughts?