v0.3.0-rc3: bincode 1→2 migration + RUSTSEC suppression + wire-format gate#4
Merged
Conversation
`bincode` is unmaintained (RUSTSEC-2025-0141, `patched = []` — the v3
release on crates.io is a `compile_error!` placeholder). v0.2.x shipped
on the legacy 1.3 line; this gets us onto the latest line that actually
exists, off the deprecated `bincode::serialize`/`deserialize`/`Error`
API and onto the `bincode::serde` adapter with `config::standard()`.
Migrating off bincode entirely to `postcard` is the v0.4 exit ramp.
Wire-format break (intentional):
- `orp-stream::dlq::FederationOutbox` and `OutboxEntry` (RocksDB-backed
federation buffer): old bytes are bincode-1, new bytes are bincode-2.
On `open`, the outbox now looks for a reserved version-marker key
(`0xFFFF __orp_outbox_wire_version__`) holding `b"v2"`. Empty stores
get the marker stamped automatically; stores with data but no marker
(or a mismatched marker) refuse to open with `IncompatibleOutboxVersion`
and the binary fails fast in `start_server`. The reserved key cannot
collide with any real `(peer_id_len, peer_id, seq)` key — `make_key`
/ `peer_prefix` now reject any `peer_id` whose length would equal
`u16::MAX`, the only way a key prefix could begin `[0xFF, 0xFF]`.
- `orp-ml::IsolationForestModel`: serialised model wire format is bumped
to `ISOLATION_FOREST_SCHEMA_VERSION = 2`. Stale embedded models surface
as `MlError::ModelVersionMismatch { got: 1, expected: 2 }` rather than
silently mis-decoding.
Operator action: the v0.3.0 binary refuses to start against a v0.2.x
outbox. Drain with the v0.2.x binary first, then upgrade — full procedure
in docs/upgrades/v0.3.0.md.
Validation:
- `audit.toml` ignores RUSTSEC-2025-0141 with a documented exit ramp;
the advisory has `patched = []` so a version bump cannot resolve it.
`cargo audit` passes (exit 0). Cargo.lock is bincode-2.0.1 only;
bincode 1 is gone.
- Tests: 1275 passed, 0 failed across the workspace, including 5 new
outbox tests covering bincode-2 roundtrip, fresh-store marker stamp,
legacy-store rejection, mismatched-marker rejection, and that the
marker is invisible to `pending_count`.
- `cargo fmt` clean; `cargo clippy -p orp-stream -p orp-ml --tests
-- -D warnings` clean. (Workspace-wide clippy hits three pre-existing
master lint failures in klv.rs / notifications.rs / commands.rs from
rustc 1.91 — out of scope for this PR.)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
orp-E delivered the bincode hygiene work. Single commit
c7075a2cherry-picked + Cargo.toml conflict resolved.What this ships
docs/upgrades/v0.3.0.md.compile_error!("https://xkcd.com/2347/")— a doxx-incident response, not a real release. RUSTSEC-2025-0141 haspatched = [](the bincode team announced permanent cessation of development). NO version bump clears the advisory. Stayed at bincode 2 + suppressed viaaudit.tomlwith documented exit ramp (postcard / bitcode / rkyv evaluation queued for v0.4).FederationOutbox::openstamps a0xFFFF __orp_outbox_wire_version__marker on first open, refuses to start if the marker is missing or wrong. Prevents bincode-2 trying to decode v0.2.0 (bincode-1) bytes. Operator drain procedure in docs.ISOLATION_FOREST_SCHEMA_VERSIONbumped 1→2 so stale serialised IF models surface asMlError::ModelVersionMismatchinstead of mis-decoding.http.rsfail-fast onDlqError::IncompatibleOutboxVersionat startup with clear error pointing to upgrade docs.Files
9 changed, +344 / -22:
Cargo.toml— bincode = "2" workspace dep (with serde feature)crates/orp-stream/src/dlq.rs— bincode-2 calls + version-marker gate + manualDebugimpl + 5 new testscrates/orp-stream/Cargo.toml,crates/orp-ml/Cargo.toml— bincode = workspacecrates/orp-ml/src/lib.rs— IF model serialiser switched tobincode::serde; SCHEMA_VERSION bumpcrates/orp-core/src/server/http.rs— fail-fast on outbox version mismatchaudit.toml— ignores RUSTSEC-2025-0141 with exit-ramp commentdocs/upgrades/v0.3.0.md— operator drain procedure for production usersCHANGELOG.md— Unreleased / Dependencies block explaining the wire-format breakTests
dlq.rs: bincode-2 roundtrip, fresh-store marker stamp, legacy-store rejection, mismatched-marker rejection, marker invisible topending_countcargo audit: exit 0 (RUSTSEC-2025-0141 suppressed via audit.toml)Production migration story
v0.3.0 will refuse to start if
ORP_FED_OUTBOX_PATHpoints at an unmarked or wrongly-marked RocksDB store. Error message is explicit and points todocs/upgrades/v0.3.0.md.Procedure:
rm -rf $ORP_FED_OUTBOX_PATHOr accept loss of buffered entries and just delete the dir. Empty stores upgrade transparently — marker stamped on first open.
Test plan
cargo fmt --all -- --check— cleancargo clippy --all --all-features --tests -- -D warnings— cleancargo check --workspace --all-features --tests— clean (13.20s)cargo auditexit 0 with RUSTSEC-2025-0141 suppressedCloses
Still deferred (future PRs)
🤖 Generated with Claude Code