Skip to content

fix(toolchain): correct stale rust-toolchain.toml comment drift#316

Merged
githubrobbi merged 1 commit into
mainfrom
fix/toolchain-comment-drift
May 29, 2026
Merged

fix(toolchain): correct stale rust-toolchain.toml comment drift#316
githubrobbi merged 1 commit into
mainfrom
fix/toolchain-comment-drift

Conversation

@githubrobbi
Copy link
Copy Markdown
Collaborator

@githubrobbi githubrobbi commented May 29, 2026

Summary

Fixes the one genuine OSS finding from the uffs-products sync report (docs/OSS_SYNC_FINDINGS.md §1).

rust-toolchain.toml's comment block claimed the channel must stay pinned at nightly-2026-04-17 to avoid the ethnum 1.5.2 E0512 transmute regression — but the file actually ships channel = "nightly-2026-05-20" (since v0.5.102, commit d4e40baa2) and the workspace Cargo.lock resolves the fixed ethnum 1.5.3. The comment was stale and actively misleading.

Real-world cost: it sent the products repo chasing a toolchain downgrade before they found the actual fix (bump ethnum, not the channel).

Change

Comment-only rewrite of the [toolchain] block:

  • States the current reality: pin 05-20 requires ethnum >= 1.5.3, with a verify command.
  • Keeps the tokio 1.51→1.52 and ethnum history as resolved notes (so a future bump doesn't re-tread it).
  • Documents the correct remedy if E0512 recurs on a bump: cargo update -p ethnum --precise 1.5.3, never a toolchain downgrade.

channel and all other settings are unchanged — this touches comments only.

Other findings in the report (validated, no action needed)

§ Finding OSS status
3 rustls-webpki / rand advisories Clean — OSS has rustls-webpki 0.103.13, rand 0.9.4/0.10.1 (no vulnerable 0.8.x); Dependabot enabled (dependabot-auto-merge.yml)
4 CI @nightly float vs pin OSS CI installs via rustup show (honors the pin) — products-only mistake
5 duplicate setup recipe OSS has exactly one setup: in shared.just — no collision

🤖 Generated with Claude Code

@githubrobbi @claude
fix(toolchain): correct stale rust-toolchain.toml comment drift
b0955c6 
The comment block claimed the pin must stay at nightly-2026-04-17 to
avoid the ethnum 1.5.2 E0512 transmute regression, but the file actually
ships channel = nightly-2026-05-20 and the lockfile resolves the fixed
ethnum 1.5.3. The stale rationale was actively misleading — it sent a
downstream consumer (uffs-products) chasing a toolchain downgrade before
finding the real fix (bump ethnum, not the channel).

Rewrite the block to state reality: current pin 05-20 requires
ethnum >= 1.5.3; keep the tokio + ethnum history as *resolved* notes so
a future bump does not re-tread it; document that E0512 on a bump is
fixed via `cargo update -p ethnum --precise 1.5.3`, never a downgrade.

Comment-only change; channel and all settings unchanged.

Reported-by: uffs-products OSS sync (docs/OSS_SYNC_FINDINGS.md §1)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@githubrobbi githubrobbi enabled auto-merge (squash) May 29, 2026 11:31
@githubrobbi githubrobbi merged commit 2588ecd into main May 29, 2026
21 checks passed
@githubrobbi githubrobbi deleted the fix/toolchain-comment-drift branch May 29, 2026 11:43
@githubrobbi githubrobbi mentioned this pull request May 29, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@githubrobbi