From 946993cd29773034cb456baca1eab4e2433c040f Mon Sep 17 00:00:00 2001 From: roman Date: Fri, 24 Apr 2026 13:42:39 -0300 Subject: [PATCH 1/2] Resolve `orchard` via valar-orchard on crates.io MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes the workspace-level `orchard` dep from the crates.io `orchard` package (patched to zcash/orchard git rev 6b12c77) to the `valar-orchard` package on crates.io, aliased locally to `orchard` via cargo's `package =` rename trick. Every member keeps its existing `orchard.workspace = true` line and its source-level `use orchard::…` imports — no other changes needed. Why --- `valar-orchard` is upstream 0.12.0 + the same post-release fixes up to zcash/orchard 6b12c77 that the previous `[patch.crates-io] orchard` entry pointed at, plus the `pub` visibility additions that valargroup/voting-circuits needs for the shielded-voting Halo 2 circuits (constants, spec, shared_primitives gadget). Before this change, consumers that also depend on `voting-circuits` (e.g. `zcash_voting`) ended up with two distinct Orchard crates in their dep-graph: `orchard` (from this fork, via our patch) and `valar-orchard` (pulled by `voting-circuits` from crates.io). Cargo treats them as different crates regardless of content, which forced a byte-round-trip `orchard_compat` bridge at the zcash_keys / pczt boundary. Routing our fork through `valar-orchard` too collapses that back to a single node and deletes the bridge. The `[patch.crates-io] orchard = { git = "zcash/orchard", rev = "6b12c77…" }` entry is obsolete after this change (no dep resolves crates.io `orchard` anymore) and is removed. Verified: `cargo check --workspace` clean. `valar-orchard v0.12.0` appears in the build graph; no `orchard v0.12.x` or git `orchard` entry. Made-with: Cursor --- Cargo.lock | 87 +++++++++++++++++++++++++++--------------------------- Cargo.toml | 13 ++++++-- 2 files changed, 55 insertions(+), 45 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d676b1b8a6..46d227d7b3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2964,42 +2964,6 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" -[[package]] -name = "orchard" -version = "0.12.0" -source = "git+https://github.com/zcash/orchard.git?rev=b0bf2670e248958c6ce7c1deed466032e0dbd4d9#b0bf2670e248958c6ce7c1deed466032e0dbd4d9" -dependencies = [ - "aes", - "bitvec", - "blake2b_simd", - "corez", - "ff", - "fpe", - "getset", - "group", - "halo2_gadgets", - "halo2_poseidon", - "halo2_proofs", - "hex", - "incrementalmerkletree", - "lazy_static", - "memuse", - "nonempty", - "pasta_curves", - "proptest", - "rand 0.8.5", - "rand_core 0.6.4", - "reddsa", - "serde", - "sinsemilla", - "subtle", - "tracing", - "visibility", - "zcash_note_encryption", - "zcash_spec", - "zip32", -] - [[package]] name = "ordered-float" version = "2.10.1" @@ -3154,7 +3118,6 @@ dependencies = [ "incrementalmerkletree", "jubjub", "nonempty", - "orchard", "pasta_curves", "postcard", "rand_core 0.6.4", @@ -3166,6 +3129,7 @@ dependencies = [ "serde_with", "sha2 0.10.8", "shardtree", + "valar-orchard", "zcash_note_encryption", "zcash_primitives", "zcash_proofs", @@ -6312,6 +6276,43 @@ dependencies = [ "serde", ] +[[package]] +name = "valar-orchard" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0415fc8aba029019c974bb0b0cc47e0bca53a27fdc2da263a2e6c99c9b3727f8" +dependencies = [ + "aes", + "bitvec", + "blake2b_simd", + "corez", + "ff", + "fpe", + "getset", + "group", + "halo2_gadgets", + "halo2_poseidon", + "halo2_proofs", + "hex", + "incrementalmerkletree", + "lazy_static", + "memuse", + "nonempty", + "pasta_curves", + "proptest", + "rand 0.8.5", + "rand_core 0.6.4", + "reddsa", + "serde", + "sinsemilla", + "subtle", + "tracing", + "visibility", + "zcash_note_encryption", + "zcash_spec", + "zip32", +] + [[package]] name = "valuable" version = "0.1.0" @@ -7065,7 +7066,6 @@ dependencies = [ "jubjub", "memuse", "nonempty", - "orchard", "pasta_curves", "pczt", "percent-encoding", @@ -7096,6 +7096,7 @@ dependencies = [ "tower", "tracing", "trait-variant", + "valar-orchard", "webpki-roots 1.0.3", "which", "zcash_address", @@ -7125,7 +7126,6 @@ dependencies = [ "incrementalmerkletree", "jubjub", "nonempty", - "orchard", "postcard", "proptest", "prost", @@ -7143,6 +7143,7 @@ dependencies = [ "time", "tokio", "tracing", + "valar-orchard", "wasm_sync", "which", "zcash_address", @@ -7175,7 +7176,6 @@ dependencies = [ "jubjub", "maybe-rayon", "nonempty", - "orchard", "pasta_curves", "proptest", "prost", @@ -7198,6 +7198,7 @@ dependencies = [ "time", "tracing", "uuid", + "valar-orchard", "zcash_address", "zcash_client_backend", "zcash_encoding", @@ -7229,9 +7230,9 @@ dependencies = [ "blake2b_simd", "ff", "jubjub", - "orchard", "rand_core 0.6.4", "sapling-crypto", + "valar-orchard", "zcash_address", "zcash_primitives", "zcash_proofs", @@ -7269,7 +7270,6 @@ dependencies = [ "jubjub", "memuse", "nonempty", - "orchard", "proptest", "rand 0.8.5", "rand_chacha 0.3.1", @@ -7280,6 +7280,7 @@ dependencies = [ "secrecy", "subtle", "tracing", + "valar-orchard", "zcash_address", "zcash_encoding", "zcash_protocol", @@ -7321,7 +7322,6 @@ dependencies = [ "jubjub", "memuse", "nonempty", - "orchard", "pprof", "proptest", "rand_core 0.6.4", @@ -7330,6 +7330,7 @@ dependencies = [ "sapling-crypto", "secp256k1", "sha2 0.10.8", + "valar-orchard", "zcash_encoding", "zcash_note_encryption", "zcash_protocol", diff --git a/Cargo.toml b/Cargo.toml index 6dff6ec5b0..aeefb4f536 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -68,7 +68,14 @@ redjubjub = { version = "0.8", default-features = false } sapling = { package = "sapling-crypto", version = "0.6.2", default-features = false } # - Orchard -orchard = { version = "0.12", default-features = false } +# +# Points at the Valar Group `valar-orchard` fork on crates.io, aliased locally to +# `orchard` so every member still writes `use orchard::…`. The fork is +# upstream-0.12.0 + post-release fixes (up to zcash/orchard 6b12c77) + governance- +# visibility additions needed by the shielded-voting circuits in +# valargroup/voting-circuits. Drop back to `orchard = "0.12"` once those +# visibility changes land in zcash/orchard upstream. +orchard = { version = "0.12.0", package = "valar-orchard", default-features = false } pasta_curves = "0.5" # - Transparent @@ -231,4 +238,6 @@ unexpected_cfgs = { level = "warn", check-cfg = [ [patch.crates-io] sapling = { package = "sapling-crypto", git = "https://github.com/zcash/sapling-crypto.git", rev = "b8a81c22f034d68f9bbd6cba728aab807b9ba2ea" } -orchard = { package = "orchard", git = "https://github.com/zcash/orchard.git", rev = "b0bf2670e248958c6ce7c1deed466032e0dbd4d9" } +# No orchard patch: the workspace resolves `orchard` via its `package = "valar-orchard"` +# alias on crates.io, which already carries the post-0.12.0 upstream fixes plus the +# governance-visibility additions. From a25aa1b32f02d7d9aa1f2a9b6e2382fd85df1c67 Mon Sep 17 00:00:00 2001 From: roman Date: Fri, 24 Apr 2026 16:27:09 -0300 Subject: [PATCH 2/2] ci: unblock cargo-vet and readme-graph for valar-orchard rename MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The workspace now resolves `orchard` through the `valar-orchard` package on crates.io via `package = "valar-orchard"`. Two CI jobs keyed on the original crate name and needed to learn about the rename: - supply-chain/config.toml: add a `safe-to-deploy` exemption for `valar-orchard 0.12.0` (matches the criteria previously granted to `orchard 0.12.0@git:b0bf2670e2…`) and drop the now-unreachable orchard@git exemption: nothing in Cargo.lock resolves to it anymore. `corez 0.1.1` is already exempted via the upstream `core2 → corez` migration on this base, so no change needed there. - .github/helpers/check-dep-graph.py: add a `PACKAGE_NAME_REMAP` table that maps cargo-tree's package names back to the aliases used in the README mermaid graph, and apply it while building `cargo_edges`. Without this, every README edge mentioning `orchard` looks stale because `cargo tree -f ' {p}'` reports the real package name (`valar-orchard`), and every real edge mentioning `valar-orchard` is silently dropped because it is not in `CRATES_IN_GRAPH`. Verified locally: - `cargo vet --locked` → `Vetting Succeeded (262 fully audited, 120 partially audited, 294 exempted)` - `python3 .github/helpers/check-dep-graph.py` → exit 0, no output Made-with: Cursor --- .github/helpers/check-dep-graph.py | 9 +++++++++ supply-chain/config.toml | 8 ++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/helpers/check-dep-graph.py b/.github/helpers/check-dep-graph.py index d3aec508a6..b5f0d74454 100644 --- a/.github/helpers/check-dep-graph.py +++ b/.github/helpers/check-dep-graph.py @@ -32,6 +32,14 @@ 'zip32', ]) +# Maps cargo package names to the logical name used in README.md's mermaid graph. +# The workspace imports `orchard` via the `valar-orchard` crates.io package using +# cargo's `package = "valar-orchard"` rename, so `cargo tree` reports the real +# package name `valar-orchard` while the README uses the alias `orchard`. +PACKAGE_NAME_REMAP = { + 'valar-orchard': 'orchard', +} + def main(): script_dir = os.path.dirname(os.path.realpath(__file__)) base_dir = os.path.dirname(os.path.dirname(script_dir)) @@ -79,6 +87,7 @@ def main(): continue (depth, crate, _) = line.strip().split(' ', 2) depth = int(depth) + crate = PACKAGE_NAME_REMAP.get(crate, crate) if depth == 0: crate_stack = [crate] diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 64757fc85b..8983c511b4 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -844,10 +844,6 @@ criteria = "safe-to-deploy" version = "11.1.4" criteria = "safe-to-deploy" -[[exemptions.orchard]] -version = "0.12.0@git:b0bf2670e248958c6ce7c1deed466032e0dbd4d9" -criteria = "safe-to-deploy" - [[exemptions.ordered-float]] version = "2.10.1" criteria = "safe-to-deploy" @@ -1588,6 +1584,10 @@ criteria = "safe-to-deploy" version = "1.8.0" criteria = "safe-to-deploy" +[[exemptions.valar-orchard]] +version = "0.12.0" +criteria = "safe-to-deploy" + [[exemptions.wait-timeout]] version = "0.2.0" criteria = "safe-to-deploy"