base64-ng 0.7.0
base64-ng v0.7.0
This release focuses on security evidence and release discipline while keeping the active implementation scalar-only.
Highlights
- Added an isolated dudect-style timing harness for the constant-time-oriented scalar decoder.
- Added generated assembly evidence for constant-time-oriented code review.
- Added release-evidence manifests with toolchain metadata, commands, checksums, and result status.
- Added bounded Kani proof harnesses for constant-time-oriented decode bounds, cleanup, and validate/decode agreement.
- Added deterministic regression coverage for constant-time-oriented validation and decode agreement.
- Hardened streaming adapters to wipe temporary stack buffers used for encoded, decoded, and read-staging data.
- Documented the performance tradeoff of the conservative custom alphabet encoding fallback.
- Scoped
v0.7.0as scalar-only: SIMD remains gated behind admission evidence and is not an active backend.
Security Posture
- Zero external runtime dependencies.
- Scalar encode/decode remains the foundation of trust.
- Strict canonical decoding remains the default.
- Legacy whitespace handling remains explicit opt-in.
- Best-effort volatile wiping is used for sensitive cleanup paths.
- Release gate includes fmt, clippy, tests, doctests, docs, audit, deny, license checks, Miri, fuzz/perf/dudect dependency checks, SBOM, and reproducible package/build checks.
Note
Kani proof execution is currently gated by Kani’s bundled compiler support. The harnesses are included, but local release checks skip Kani when the installed Kani compiler is older than the crate MSRV.