Skip to content

Release sapling-crypto version 0.7.0#185

Merged
nuttycom merged 4 commits into
mainfrom
release-0.7.0
Apr 21, 2026
Merged

Release sapling-crypto version 0.7.0#185
nuttycom merged 4 commits into
mainfrom
release-0.7.0

Conversation

@nuttycom

Copy link
Copy Markdown
Contributor

No description provided.

@nuttycom
nuttycom force-pushed the release-0.7.0 branch 3 times, most recently from ed02985 to d1df461 Compare April 21, 2026 17:29
This update removes the `no_std` feature from `typenum`;
--no-default-features behavior is now correct and does not require
additional flagging for `no_std` support.
@schell

schell commented Apr 21, 2026

Copy link
Copy Markdown

@zodl-review

@zodl-review

zodl-review Bot commented Apr 21, 2026

Copy link
Copy Markdown

🤖 Claude Review

Review: sapling-crypto v0.7.0 Release

1. Summary

Release PR for sapling-crypto 0.7.0: bumps version, updates dev-dependencies (criterion 0.4→0.5, pprof 0.11→0.15), removes the typenum no_std workaround, adds supply-chain tooling (cargo-vet, cargo-deny audit workflows), and switches to Cargo resolver 3.

2. Risk Assessment

Low. This is a release/housekeeping PR with no changes to cryptographic code, consensus-relevant logic, or public APIs beyond what was already merged under [Unreleased]. The diff touches CI, dependency pins, and metadata only. The core2→corez migration mentioned in the changelog landed in a prior PR.

3. Key Observations

Good:

  • Supply-chain hardening is welcome: cargo-vet with imports from zcash/mozilla/google/isrg ecosystems, cargo-deny licenses check, and pinned GitHub Action SHAs (actions/checkout@de0fac..., cargo-deny-action@175dc7...). This is exactly the right posture for a crypto crate.
  • CHANGELOG properly notes the MSRV bump (1.85.1) and the core2corez migration (core2 was yanked, so this is a correctness fix).
  • Removing the typenum no_std workaround reflects upstream typenum no longer requiring the feature gate — confirmed by the bump to 1.20.0. The README update is consistent.
  • resolver = "3" is appropriate given MSRV 1.85.1 (resolver 3 requires ≥1.84).
  • deny.toml targets cover the realistic zcashd + mobile SDK deployment surface.

Needs attention:

  • Release date 2026-04-21 in CHANGELOG looks like a typo/placeholder — should presumably be 2025. Worth fixing before tagging since this header becomes permanent in the crate's history.
  • PR description is empty. For a release PR, linking the full changelog diff range and noting any downstream breaking changes (e.g., Bundle::extract now takes &self) would help integrators.
  • The exemptions list in supply-chain/config.toml is large (expected for first cargo-vet adoption), but a follow-up issue to gradually audit/import entries like bellman, bls12_381, chacha20poly1305 would be valuable — these are crypto-critical.
  • pprof 0.15 raises the dev-dep MSRV to 1.74 (as noted in the comment), but since it's unix-only dev-dep and below the crate MSRV of 1.85.1, no issue.
  • Cargo.lock shows thiserror now exists at both 1.x and 2.x — fine but worth tracking for future dedup.

4. Suggestions

  1. Fix the release date to 2025-04-21 (or current date) before merging/tagging.
  2. Add a one-line PR description linking to the CHANGELOG section and calling out that pczt::Bundle::extract is a breaking API change.
  3. File a follow-up to reduce cargo-vet exemptions, prioritizing the cryptographic dependencies.
  4. Confirm the [Unreleased] section in CHANGELOG is empty post-merge (the diff leaves it present, which is correct).

No consensus or cryptographic concerns.


Automated review by zodl-review bot · Model: us.anthropic.claude-opus-4-7 · [Silent pilot — feedback welcome]

@schell

schell commented Apr 21, 2026

Copy link
Copy Markdown

@y4ssi - interesting that ZODLbot thinks it's 2025. Is that something in its system prompt, skill or just part of its training data, I wonder?

@y4ssi

y4ssi commented Apr 21, 2026

Copy link
Copy Markdown

@schell Good catch — it's the training data cutoff, not the system prompt. The model (Opus 4.7, trained through May 2025) has no built-in clock and I wasn't injecting today's date into the user prompt, so anything in 2026+ looked like a placeholder to it.

Just pushed a fix: the prompt now starts with Today's date is YYYY-MM-DD (UTC) — trust this over any assumption from training data when evaluating dates, versions, or release timelines. Should stop it from flagging legitimate future dates as typos.

Thanks for surfacing it — exactly the kind of feedback the silent pilot was looking for.

@y4ssi

y4ssi commented Apr 21, 2026

Copy link
Copy Markdown

@zodl-review

@zodl-review

zodl-review Bot commented Apr 21, 2026

Copy link
Copy Markdown

🤖 Claude Review

Review: sapling-crypto PR #185 (Release v0.7.0)

1. Summary

Release PR for sapling-crypto 0.7.0, bumping version metadata, updating CI with supply-chain audits (cargo-vet, cargo-deny), switching off the yanked core2 crate, and refreshing dev dependencies (criterion 0.5, pprof 0.15).

2. Risk Assessment

Low. This is a release/infrastructure PR with no changes to cryptographic code, circuit logic, nullifier derivation, or consensus-relevant paths. The main runtime-facing change (core2corez) is confined to no_std IO, and the pczt extract signature change is ergonomic. Most diff volume is Cargo.lock churn, audit scaffolding, and exemption lists.

3. Key Observations

Good:

  • Correctly follows Keep-a-Changelog format with dated 0.7.0 section matching today (2026-04-21).
  • Adding cargo-vet + cargo-deny is a meaningful supply-chain hardening step for a consensus-relevant crate; importing zcash, mozilla, google, and ISRG audit sets is appropriate.
  • deny.toml target list covers zcashd, android-wallet-sdk, and swift-wallet-sdk — the real deployment surface.
  • Dropping the core2 dependency removes a yanked crate; moving to corez is the right call.
  • MSRV bump to 1.85.1 is consistent with the broader librustzcash ecosystem.
  • pczt::Bundle::extract taking &self is a small but correct API fix (previously consumed the bundle unnecessarily).

Needs attention:

  • CHANGELOG ordering bug: the ### Changed heading appears under ## [Unreleased] but the ## [0.7.0] header is inserted between them. As rendered, the "Changed" bullets will be attributed to 0.7.0 (which is likely intended) but [Unreleased] is left empty with no sub-sections — worth confirming the heading order was not accidentally transposed. Typical convention puts ### Changed under the dated release header.
  • resolver = "3" added to Cargo.toml. Resolver v3 requires Rust 1.84+, which the new MSRV (1.85.1) satisfies, but downstream consumers on edition 2021 with older workspaces may see behavioral differences in feature unification. Worth a CHANGELOG note.
  • audits.toml is empty ([audits] with no entries). That's fine for bootstrapping, but it means every third-party crate relies on exemptions or imported audits — the exemptions list is long and should be burned down over time.
  • No description on the PR itself; for a release PR, linking the CHANGELOG diff or the list of PRs since 0.6.2 helps reviewers.

4. Suggestions

  1. Move ### Changed under ## [0.7.0] - 2026-04-21 explicitly to avoid ambiguity.
  2. Add a CHANGELOG note that resolver = "3" is now set (user-visible for workspace consumers).
  3. Add a PR description summarizing downstream-visible changes (MSRV, extract signature, corez migration, typenum no_std feature no longer required per README).
  4. File a tracking issue to retire exemptions.* entries as audits are performed.

Recommendation: Approve after CHANGELOG tidy-up.


Automated review by zodl-review bot · Model: us.anthropic.claude-opus-4-7 · [Silent pilot — feedback welcome]

@nuttycom
nuttycom merged commit c5e596c into main Apr 21, 2026
42 checks passed
@nuttycom
nuttycom deleted the release-0.7.0 branch April 21, 2026 19:52
@nuttycom nuttycom mentioned this pull request Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants