Skip to content

Track libsodium upstream in NOTES.md instead of filing issues#152

Merged
gafferongames merged 1 commit into
mainfrom
fix-sodium-watch
Jul 9, 2026
Merged

Track libsodium upstream in NOTES.md instead of filing issues#152
gafferongames merged 1 commit into
mainfrom
fix-sodium-watch

Conversation

@gafferongames

@gafferongames gafferongames commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

What happened

The manual first run of the nightly scheduled.yml surfaced a real finding — libsodium 1.0.22 is out, vendored subset is 1.0.20 — which is what the libsodium upstream check job is for. But it reported green without opening the tracking issue (creation failed on a missing dependencies label; a || echo fallback masked the failure).

Per direction, the fix is not to repair issue-filing but to drop it — the record lives in sodium/NOTES.md.

Change

  • scheduled.yml: the check now compares the latest upstream release to a Last reviewed upstream release: marker in sodium/NOTES.md and fails (no issues, no labels, no issues: write) if a newer, unreviewed release exists. The failure self-clears when NOTES.md is updated.
  • sodium/NOTES.md: adds the marker (1.0.22) and a review log.

The review

Checking 1.0.21 + 1.0.22 against the included slice (ChaCha20 / Poly1305 / the two AEADs):

  • Outside the slice (no action): ed25519 small-order-point fix, ipcrypt, XOF/SHA-3, ML-KEM768 / X-Wing, and build/platform work.
  • Touches the slice (pending): 1.0.20-stable/1.0.21 added memory fences after MAC verification in the AEAD path — a speculative-access hardening. It appears to touch the ChaCha20-Poly1305 decrypt code in this subset and is logged as pending incorporation on the next re-vendor. It's defense-in-depth, not functional or interop, so vendored 1.0.20 stays correct and interoperable meanwhile.

Marker set to 1.0.22, so the job is green now and will fire again only on 1.0.23+.

Verified

  • scheduled.yml valid YAML; marker parse + comparison simulated locally against the real NOTES.md (reviewed 1.0.22 == latest 1.0.22 → green).

🤖 Generated with Claude Code

The first real run of the nightly libsodium check found 1.0.22 (vendored
is 1.0.20) but reported green without filing its tracking issue: creation
failed on a missing 'dependencies' label and a '|| echo' fallback masked
it. Rather than fix issue-filing, drop it — the record belongs in
sodium/NOTES.md.

- scheduled.yml: the check now compares the latest upstream release to a
  "Last reviewed upstream release" marker in NOTES.md and fails (no issue)
  if a newer, unreviewed release exists. Failing self-clears when NOTES.md
  is updated.

- sodium/NOTES.md: add the marker (1.0.22) and a review log. Reviewing
  1.0.21/1.0.22 found most changes are outside the included slice, but the
  AEAD post-MAC-verification memory fence (speculative-access hardening)
  from 1.0.20-stable/1.0.21 does touch the ChaCha20-Poly1305 decrypt path
  and is noted as pending incorporation on the next re-vendor. It is a
  defense-in-depth hardening, not a functional or interop change, so
  vendored 1.0.20 stays correct meanwhile.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@gafferongames gafferongames changed the title Fix libsodium upstream check silently failing to file its issue Track libsodium upstream in NOTES.md instead of filing issues Jul 9, 2026
@gafferongames gafferongames merged commit 50d00ff into main Jul 9, 2026
11 checks passed
@gafferongames gafferongames deleted the fix-sodium-watch branch July 9, 2026 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant