fix(ci): unbreak the build (russh 0.61.2), clear RustSec advisories, fix legacy-namespace test#862
Merged
Merged
Conversation
A wave of new 2026 RustSec advisories against transitive crypto crates turned the Cargo Audit / Security Audit CI jobs red (pre-existing on main, unrelated to the prior PR). Remediate the ones we can and triage the rest with justification. Real fixes (shrink the tree / bump in range): - Drop the `russh-keys` 0.45 dependency. It was vestigial — nothing references `russh_keys::`; all key handling goes through russh's own `russh::keys`. Removing it drops russh-keys, the standalone ssh-key 0.6.7, russh-cryptovec 0.7.3 (RUSTSEC-2026-0153), pbkdf2 and password-hash from the lock. - Bump rustls-webpki 0.103.8 -> 0.103.13 (clears RUSTSEC-2026-0049/ 0098/0099/0104 for that instance). Triaged (need breaking major upgrades, tracked separately) — ignores added to .cargo/audit.toml with per-advisory rationale, mirrored in deny.toml: - russh 0.55 crypto stack: aws-lc-sys (2026-0044..0048), libcrux-sha3 (2026-0074), russh-cryptovec 0.52 (2026-0153), russh (2026-0154). Fix = upgrade russh to >=0.60.3 (breaking). - AWS SDK's bundled rustls 0.21 / rustls-webpki 0.101.7 (2026-0098/ 0099/0104), aws feature only. Fix = AWS SDK on rustls 0.23. cargo audit now exits 0 (3 informational warnings remain). Default build, clippy --all-targets -D warnings, and fmt all green. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Code Review by Qodo
1. Misleading russh optionality note
|
PR Summary by QodoFix audit CI by removing unused russh-keys and documenting RustSec ignores WalkthroughsDescription• Remove the unused russh-keys optional dependency from the russh feature. • Triage newly failing 2026 RustSec advisories with documented, feature-scoped ignores. • Mirror RustSec ignore lists between cargo-audit and cargo-deny configurations. Diagramgraph TD
A["Security audit CI jobs"] --> B[".cargo/audit.toml"] --> G[("RustSec advisory DB")]
A --> C["deny.toml"]
D["Cargo feature selection"] --> E["Cargo.toml"] --> F["Resolved dependency tree"] --> A
High-Level AssessmentThe following are alternative approaches to this PR: 1. Do the breaking upgrades now (russh >=0.60.3, AWS SDK rustls 0.23 line)
2. Temporarily exclude optional-feature trees from CI audits
3. Use Cargo `[patch]` / dependency overrides to force fixed transitive versions
Recommendation: Current approach is appropriate for unblocking CI: remove truly unused dependencies to shrink the tree, and explicitly document/justify remaining advisories that require breaking upstream upgrades. Keep the ignore blocks narrowly scoped and treat them as temporary—follow up with separate PRs for the russh and AWS/rustls major-line upgrades, then delete the corresponding ignores. File ChangesOther (3)
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 99dc9a4f04
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Comment on lines
+34
to
+35
| # russh is optional (`russh` feature) and these are SSH-path crypto issues. | ||
| "RUSTSEC-2026-0044", # aws-lc-sys: X.509 name-constraints bypass |
There was a problem hiding this comment.
This suppression is justified as optional, but Cargo.toml still has default = ["russh", "local"], so a normal/default build pulls russh 0.55 and its aws-lc-sys, libcrux-sha3, and russh-cryptovec stack. With these IDs ignored, both cargo audit jobs can pass while the default SSH backend remains covered by the listed vulnerabilities; either remove russh from the default set or avoid suppressing these until the default path is upgraded.
Useful? React with 👍 / 👎.
test_release_docs_do_not_reference_legacy_repo_namespace forbade github.com/adolago/rustible, but adolago/rustible is now the canonical home of the repository. PR #860's docs alignment moved the issue links onto adolago/rustible, which tripped this guard and turned the entire Test matrix red on one assertion (38 passed; 1 failed). Point the guard at the actual previous owner, kernelfirma/rustible, so it still prevents stale-namespace references from creeping back in while allowing the current adolago namespace. None of the seven guarded docs reference kernelfirma anymore, so the suite is green. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
adolago
changed the title
main (after Dependabot #861 bumped russh 0.55 -> 0.57) no longer compiled: russh 0.57's forked ssh-key pulls a pre-release rsa/pkcs8 combination that fails to build. Resolving the Cargo.lock conflict on top of that breakage required moving russh forward, not just merging. - Upgrade russh to 0.61.2 (latest). Drops the broken forked ssh-key in favour of ssh-key 0.7, bumps russh-cryptovec to 0.61 and aws-lc-sys to 0.41, and removes libcrux-sha3 and proc-macro-error2 from the tree. - Migrate the changed agent API (russh.rs, russh_auth.rs, ssh_agent.rs): request_identities() now yields AgentIdentity; use .public_key() for authentication and algorithm lookup. Rebuild the test key helper deterministically via Ed25519Keypair::from_seed to avoid ssh-key's rand_core version coupling. - This upgrade fixes the russh-chain advisories for real, so their .cargo/audit.toml / deny.toml ignores are removed; only the AWS SDK rustls-webpki 0.101.7 ignores remain. rustls-webpki re-bumped to 0.103.13 (clears RUSTSEC-2026-0049). cargo audit/deny/clippy(-D warnings)/fmt clean; 2961 lib tests + docs + smoke pass. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
adolago
changed the title
The test spawned 10 tasks each sleeping 10ms and asserted the parallel run finished in <50ms. That window is too tight for a contended CI runner (it flaked on ubuntu-stable-pure-rust while passing everywhere else with the identical feature set). Use 50ms sleeps with a <250ms bound: parallel is ~50ms + overhead, a serial run would be ~500ms, so the parallel-vs-serial distinction stays sharp with ample CI headroom. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Gets CI green again (issue #850) after a cascade of failures. Three areas, now all resolved:
main— Dependabot build(deps): bump the cargo group across 2 directories with 3 updates #861 bumped russh 0.55→0.57, whose forked ssh-key pulls a pre-releasersa/pkcs8combo that doesn't compile.1. Unbreak the build: russh 0.57 → 0.61.2
mainstopped compiling once #861 landed. Resolving this branch's lock conflict on top required moving russh forward:ssh-key 0.7, bumpsrussh-cryptovec→0.61 andaws-lc-sys→0.41, and removeslibcrux-sha3+ the unmaintainedproc-macro-error2.russh.rs,russh_auth.rs,ssh_agent.rs):request_identities()now yieldsAgentIdentity; use.public_key()for auth + algorithm lookup. Test key helper rebuilt viaEd25519Keypair::from_seed(random seed) to avoid ssh-key's rand_core version coupling.russh-keys0.45 dep (nothing usesrussh_keys::; everything goes throughrussh::keys).2. Audit advisories — mostly fixed for real, not ignored
The russh 0.61 upgrade fixes 8 of the 11 advisories (aws-lc-sys ×5, libcrux-sha3, russh, russh-cryptovec) outright — so their ignores are gone. Plus
rustls-webpki0.103.8→0.103.13 (clears RUSTSEC-2026-0049).Only the AWS SDK's bundled rustls-webpki 0.101.7 (RUSTSEC-2026-0098/0099/0104,
awsfeature only) stays triaged in.cargo/audit.toml/deny.toml, with a note: fix is the AWS SDK moving onto rustls 0.23.3. Legacy-namespace docs test
test_release_docs_do_not_reference_legacy_repo_namespaceforbadeadolago/rustible, but that's the canonical home now; #860 moved issue links onto it and tripped the guard (all 13 Test jobs, one assertion). Retargeted the guard at the actual previous owner,kernelfirma/rustible.Verification (local, default features)
cargo check --all-targetscargo auditcargo deny check licenses bans sourcesbans ok, licenses ok, sources okcargo clippy --all-targets -- -D warningscargo test --libcargo test --test docs_compatibility_sync_testsbash scripts/smoke_tests.shcargo fmt --all -- --checkRemaining follow-up (out of scope)
rustls-webpki0.101.7); then drop those ignores.🤖 Generated with Claude Code