Skip to content

0.8.6#1772

Merged
dhardy merged 17 commits intorust-random:0.8from
nwalfield:0.8.6
Apr 16, 2026
Merged

0.8.6#1772
dhardy merged 17 commits intorust-random:0.8from
nwalfield:0.8.6

Conversation

@nwalfield
Copy link
Copy Markdown

@nwalfield nwalfield commented Apr 14, 2026

Summary

This PR backports #1764 to version 0.8.5 of rand.

Motivation

There are still many packages that use rand 0.8. Leaf crates that depend on such packages are unable to address RUSTSEC-2026-0097 until their dependencies upgrade to a newer version of rand, which is likely to take a long time, or the fix is backported to 0.8. This PR does the latter.

Details

A request for a backport to 0.8 was raised in #1770 .

I work on Sequoia PGP. In Sequoia, we are currently stuck on an old version of Hickory as the latest version of Hickory dropped support for OpenSSL. We are currently looking for a solution to Hickory, but until then we have to live with Hickory and its dependencies, which include a dependency on rand 0.8.

@nwalfield nwalfield mentioned this pull request Apr 14, 2026
Closed
@nwalfield
Copy link
Copy Markdown
Author

nwalfield commented Apr 14, 2026

@dhardy How do you prefer to handle these failures:

failures:

---- rand_core\src\lib.rs - SeedableRng::Seed (line 265) stdout ----
error: constant `N` is never used
   --> rand_core\src\lib.rs:269:7
    |
269 | const N: usize = 64;
    |       ^
    |
note: the lint level is defined here
   --> rand_core\src\lib.rs:263:9
    |
263 | #![deny(warnings)]
    |         ^^^^^^^^
    = note: `#[deny(dead_code)]` implied by `#[deny(warnings)]`

error: struct `MyRngSeed` is never constructed
   --> rand_core\src\lib.rs:270:12
    |
270 | pub struct MyRngSeed(pub [u8; N]);
    |            ^^^^^^^^^

error: struct `MyRng` is never constructed
   --> rand_core\src\lib.rs:271:12
    |
271 | pub struct MyRng(MyRngSeed);
    |            ^^^^^

error: aborting due to 3 previous errors

Couldn't compile the test.

failures:
    rand_core\src\lib.rs - SeedableRng::Seed (line 265)

test result: FAILED. 4 passed; 1 failed; 1 ignored; 0 measured; 0 filtered out; finished in 0.35s

error: doctest failed, to rerun pass `--doc`
Error: Process completed with exit code 1.

Should I disable deny(warnings), enable allow(dead_code) or remove the dead code?

dhardy
dhardy requested changes Apr 14, 2026
View reviewed changes
Comment thread Cargo.toml
Comment thread src/lib.rs
Comment thread Cargo.toml Outdated
Comment thread CHANGELOG.md Outdated
@dhardy
Copy link
Copy Markdown
Member

dhardy commented Apr 14, 2026
edited
Loading

error: struct MyRng is never constructed

I think this could simply be solved by extending the example to use MyRng:

# let _rng = MyRng::from_seed(Default::default());

@dhardy
Copy link
Copy Markdown
Member

dhardy commented Apr 14, 2026

Running RUSTDOCFLAGS="--cfg docsrs -Zunstable-options --generate-link-to-definition" cargo +nightly doc --all --all-features --no-deps (as now in Cargo.toml) fails; most errors are from the simd_support feature. So either remove that or switch to RUSTDOCFLAGS="--cfg docsrs -Zunstable-options --generate-link-to-definition" cargo +nightly doc --all --features serde1,getrandom,small_rng,min_const_gen --no-deps.

The latter still fails; looks like rand_core's lib.rs needs #![cfg_attr(docsrs, feature(doc_cfg))].

@nwalfield nwalfield marked this pull request as draft April 14, 2026 13:35
@jhfrontz jhfrontz mentioned this pull request Apr 14, 2026
Open
@xtqqczze xtqqczze mentioned this pull request Apr 15, 2026
Open
@nwalfield nwalfield force-pushed the 0.8.6 branch 3 times, most recently from e46d7cf to 6ce6455 Compare April 15, 2026 10:20
@nwalfield
Copy link
Copy Markdown
Author

nwalfield commented Apr 15, 2026

error: struct MyRng is never constructed

I think this could simply be solved by extending the example to use MyRng:

# let _rng = MyRng::from_seed(Default::default());

That wasn't quite enough (rust complains about .0 not being used), but I've implemented this idea. Thanks.

@nwalfield
Copy link
Copy Markdown
Author

nwalfield commented Apr 15, 2026

@dhardy The only test that fails is the 1.36 test. That fails because it is pulling in dependencies that 1.36 doesn't support:

 Downloading crates ...
  Downloaded getrandom v0.2.17
  Downloaded cfg-if v1.0.4
  Downloaded libc v0.2.185
error: failed to parse manifest at `/home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/libc-0.2.185/Cargo.toml`

Caused by:
  failed to parse the `edition` key

Caused by:
  supported edition values are `2015` or `2018`, but `2021` is unknown
Error: Process completed with exit code 101.

Do you have any suggestions on how to handle this?

@nwalfield nwalfield requested a review from dhardy April 15, 2026 11:26
@dhardy
Copy link
Copy Markdown
Member

dhardy commented Apr 15, 2026
edited
Loading

@nwalfield this is probably fixable using "cargo update --precise" (and a lot of patience) to find compatible versions of each dependency.

If necessary we can raise the MSRV (or minimum tested version), but please try the above first.

Edit: sorry, it's not quite that simple. The proper solution would be to copy what we do in v0.9: once you have found a suitable Cargo.lock file, copy it to Cargo.lock.msrv then add a step like this to the CI test spec (including variant: MSRV in the matrix).

@nwalfield nwalfield force-pushed the 0.8.6 branch 2 times, most recently from aafa4c5 to e0b76b3 Compare April 15, 2026 19:46
dhardy
dhardy reviewed Apr 16, 2026
View reviewed changes
Comment thread CHANGELOG.md
Comment thread .github/workflows/test.yml Outdated
@nwalfield nwalfield marked this pull request as ready for review April 16, 2026 11:05
dhardy and others added 7 commits April 16, 2026 13:08
@dhardy @nwalfield
Prepare v0.8.6
ccc71e9
@dhardy @nwalfield
Remove CI job gh-pages
32fc9d0
@dhardy @nwalfield
Copy release.yml from master
5e8b369
@nwalfield
Replace doc_cfg with docsrs.
4b0ef4e 
Fix the following error:

```
warning: unexpected `cfg` condition name: `doc_cfg`
  --> rand_core/src/lib.rs:38:13
   |
38 | #![cfg_attr(doc_cfg, feature(doc_cfg))]
   |             ^^^^^^^
```

`doc_cfg` was used just to conditionally include the `doc_cfg` feature
in docs.rs builds.  That has since been standardized and changed to
`docsrs`.

Replace `doc_cfg` with `docsrs`.

See https://docs.rs/about/builds#detecting-docsrs .
@nwalfield
Fix invalid documentation.
84899de
@nwalfield
Correctly check for features.
8ae52a2 
Use `#[cfg(not(feature = "std"))]` to check for `std`, not
`#[cfg(not(std))]`.
@nwalfield
Fix the implementation of TrustedLen.
4df037d 
Enable the `trusted_len` feature.

Implementing `TrustLen` is now unsafe.  Fix the implementation.
@nwalfield
Workaround never constructed and never used warning.
6f123c1 
`rustc` complains that `error: struct MyRng is never constructed`.
Construct it, and use it.
@nwalfield
Mark some internal traits as potentially unused.
9f0e676 
Implementations of `FloatAsSIMD` and `BoolAsSIMD` are only used if the
`simd_support` feature is enabled.  Instead of making their definition
and several users conditional on `simd_support`, just suppress the
unused warning.
@nwalfield
Address warning.
258e6d0 
Modern versions of `rustc` warn about some elided lifetimes:

```
warning: hiding a lifetime that's elided elsewhere is confusing
   --> src/seq/mod.rs:115:27
    |
115 |     fn choose_multiple<R>(&self, rng: &mut R, amount: usize) -> SliceChooseIter<Self, Self::Item>
    |                           ^^^^^ the lifetime is elided here     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the same lifetime is hidden here
    |
    = help: the same lifetime is referred to in inconsistent ways, making the signature confusing
    = note: `#[warn(mismatched_lifetime_syntaxes)]` on by default
help: use `'_` for type paths
    |
115 |     fn choose_multiple<R>(&self, rng: &mut R, amount: usize) -> SliceChooseIter<'_, Self, Self::Item>
    |                                                                                 +++
```

Address the warnings.
@nwalfield
Don't test for unsupported target architecture.
4ad0cc3 
Modern `rustc` doesn't know about the `asmjs` target.  Drop it.
@nwalfield
Upgrade cache action.
8ff02f0 
v1 of `actions/cache` has been deprecated.
@nwalfield
Drop simd_support.
5e0d50d 
`simd_support` is an experimental feature, which does not work any
more.  Drop it.
@nwalfield
Fix cross build test.
9be86f2 
The cross build test checks that `Rand` can be cross built for mips.
The Rust project no longer provides binaries for that target.  Switch
to arm, as on the `master` branch.
@nwalfield
Add Cargo.lock.msrv.
143b602
@nwalfield
When testing rustc 1.36, use compatible dependencies.
1126d03 
The latest versions of `ppv-lite86` and `libc` don't compile with
`rustc` 1.36.  When testing with `rustc` 1.36, use the last compatible
version of the dependencies.
@nwalfield
Copy link
Copy Markdown
Author

nwalfield commented Apr 16, 2026

@nwalfield this is probably fixable using "cargo update --precise" (and a lot of patience) to find compatible versions of each dependency.

If necessary we can raise the MSRV (or minimum tested version), but please try the above first.

Edit: sorry, it's not quite that simple. The proper solution would be to copy what we do in v0.9: once you have found a suitable Cargo.lock file, copy it to Cargo.lock.msrv then add a step like this to the CI test spec (including variant: MSRV in the matrix).

FWIW, it took 6 hours of patience :D

@nwalfield
Copy link
Copy Markdown
Author

nwalfield commented Apr 16, 2026

@dhardy CI now passes, and I think I've addressed all of the comments. Please let me know if there is something else that I should do.

Thanks!

dhardy
dhardy approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dhardy dhardy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's more patience than I had expected. Thanks for the effort.

The release date is wrong, but I guess it doesn't really matter.

@dhardy dhardy merged commit 5309f25 into rust-random:0.8 Apr 16, 2026
13 checks passed
@dhardy
Copy link
Copy Markdown
Member

dhardy commented Apr 17, 2026

Published

@nwalfield
Copy link
Copy Markdown
Author

nwalfield commented Apr 17, 2026

@dhardy, thanks specifically for reviewing this, and publishing a new version, but also for your work on Rand. I appreciate it.

@nwalfield nwalfield mentioned this pull request Apr 17, 2026
Merged
archlinux-github pushed a commit to archlinux/signstar that referenced this pull request Apr 17, 2026
@wiktor-k
fix(deps): Update rand 0.8.5 to 0.8.6
8ad8d78 
This makes sure that the vulnerable `log` feature is unavailable.
And as such the advisory suppression is removed.

See: rust-random/rand#1772
Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
@xtqqczze xtqqczze mentioned this pull request Apr 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhardy dhardy dhardy approved these changes

+1 more reviewer

@svix-jplatte svix-jplatte svix-jplatte left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nwalfield @dhardy @svix-jplatte