Merge branch 'develop' into next

This resolves the conflicts and gets the workspace `Cargo.toml`s to not be
invalid. It doesn't actually get clippy to pass again yet.

Does move `crypto/dkg/src/evrf` into a new `crypto/dkg/evrf` crate (which does
not yet compile).

orchestration/Cargo.toml

@@ -24,7 +24,8 @@ rand_core = { version = "0.6", default-features = false, features = ["std", "get
 rand_chacha = { version = "0.3", default-features = false, features = ["std"] }
 
 transcript = { package = "flexible-transcript", path = "../crypto/transcript", default-features = false, features = ["std", "recommended"] }
-ciphersuite = { path = "../crypto/ciphersuite", default-features = false, features = ["std", "ristretto"] }
+ciphersuite = { path = "../crypto/ciphersuite", default-features = false, features = ["std"] }
+dalek-ff-group = { path = "../crypto/dalek-ff-group", default-features = false, features = ["std"] }
 embedwards25519 = { path = "../crypto/evrf/embedwards25519" }
 secq256k1 = { path = "../crypto/evrf/secq256k1" }
 

orchestration/runtime/Dockerfile

@@ -1,17 +1,17 @@
-# rust:1.80.0-slim-bookworm as of July 27th, 2024 (GMT)
-FROM --platform=linux/amd64 rust@sha256:37e6f90f98b3afd15c2526d7abb257a1f4cb7d49808fe3729d9d62020b07b544 as deterministic
+# rust:1.89.0-slim-bookworm as of August 1st, 2025 (GMT)
+FROM --platform=linux/amd64 rust@sha256:703cfb0f80db8eb8a3452bf5151162472039c1b37fe4fb2957b495a6f0104ae7 AS deterministic
 
 # Move to a Debian package snapshot
 RUN rm -rf /etc/apt/sources.list.d/debian.sources && \
   rm -rf /var/lib/apt/lists/* && \
-  echo "deb [arch=amd64] http://snapshot.debian.org/archive/debian/20240301T000000Z bookworm main" > /etc/apt/sources.list && \
+  echo "deb [arch=amd64] http://snapshot.debian.org/archive/debian/20250801T000000Z bookworm main" > /etc/apt/sources.list && \
   apt update
 
 # Install dependencies
-RUN apt update && apt upgrade && apt install clang -y
+RUN apt update -y && apt upgrade -y && apt install -y clang
 
 # Add the wasm toolchain
-RUN rustup target add wasm32-unknown-unknown
+RUN rustup target add wasm32v1-none
 
 FROM deterministic
 

orchestration/src/coordinator.rs

@@ -2,7 +2,8 @@ use std::path::Path;
 
 use zeroize::Zeroizing;
 
-use ciphersuite::{group::ff::PrimeField, Ciphersuite, Ristretto};
+use dalek_ff_group::Ristretto;
+use ciphersuite::{group::ff::PrimeField, Ciphersuite};
 
 use crate::{Network, Os, mimalloc, os, build_serai_service, write_dockerfile};
 

orchestration/src/main.rs

@@ -18,12 +18,13 @@ use rand_chacha::ChaCha20Rng;
 
 use transcript::{Transcript, RecommendedTranscript};
 
+use dalek_ff_group::Ristretto;
 use ciphersuite::{
   group::{
     ff::{Field, PrimeField},
     GroupEncoding,
   },
-  Ciphersuite, Ristretto,
+  Ciphersuite,
 };
 use embedwards25519::Embedwards25519;
 use secq256k1::Secq256k1;
@@ -94,7 +95,7 @@ fn os(os: Os, additional_root: &str, user: &str) -> String {
   match os {
     Os::Alpine => format!(
       r#"
-FROM alpine:latest as image
+FROM alpine:latest AS image
 
 COPY --from=mimalloc-alpine libmimalloc.so /usr/lib
 ENV LD_PRELOAD=libmimalloc.so
@@ -119,7 +120,7 @@ WORKDIR /home/{user}
 
     Os::Debian => format!(
       r#"
-FROM debian:bookworm-slim as image
+FROM debian:bookworm-slim AS image
 
 COPY --from=mimalloc-debian libmimalloc.so /usr/lib
 RUN echo "/usr/lib/libmimalloc.so" >> /etc/ld.so.preload
@@ -148,7 +149,7 @@ fn build_serai_service(prelude: &str, release: bool, features: &str, package: &s
 
   format!(
     r#"
-FROM rust:1.80-slim-bookworm as builder
+FROM rust:1.89-slim-bookworm AS builder
 
 COPY --from=mimalloc-debian libmimalloc.so /usr/lib
 RUN echo "/usr/lib/libmimalloc.so" >> /etc/ld.so.preload
@@ -162,7 +163,7 @@ RUN apt install -y pkg-config clang
 RUN apt install -y make protobuf-compiler
 
 # Add the wasm toolchain
-RUN rustup target add wasm32-unknown-unknown
+RUN rustup target add wasm32v1-none
 
 {prelude}
 

orchestration/src/message_queue.rs

@@ -1,6 +1,7 @@
 use std::path::Path;
 
-use ciphersuite::{group::GroupEncoding, Ciphersuite, Ristretto};
+use dalek_ff_group::Ristretto;
+use ciphersuite::{group::GroupEncoding, Ciphersuite};
 
 use crate::{Network, Os, mimalloc, os, build_serai_service, write_dockerfile};
 

orchestration/src/mimalloc.rs

@@ -2,7 +2,7 @@ use crate::Os;
 
 pub fn mimalloc(os: Os) -> &'static str {
   const ALPINE_MIMALLOC: &str = r#"
-FROM alpine:latest as mimalloc-alpine
+FROM alpine:latest AS mimalloc-alpine
 
 RUN apk update && apk upgrade && apk --no-cache add gcc g++ libc-dev make cmake git
 RUN git clone https://github.com/microsoft/mimalloc && \
@@ -16,7 +16,7 @@ RUN git clone https://github.com/microsoft/mimalloc && \
 "#;
 
   const DEBIAN_MIMALLOC: &str = r#"
-FROM debian:bookworm-slim as mimalloc-debian
+FROM debian:bookworm-slim AS mimalloc-debian
 
 RUN apt update && apt upgrade -y && apt install -y gcc g++ make cmake git
 RUN git clone https://github.com/microsoft/mimalloc && \

orchestration/src/networks/bitcoin.rs

@@ -5,16 +5,16 @@ use crate::{Network, Os, mimalloc, os, write_dockerfile};
 pub fn bitcoin(orchestration_path: &Path, network: Network) {
   #[rustfmt::skip]
   const DOWNLOAD_BITCOIN: &str = r#"
-FROM alpine:latest as bitcoin
+FROM alpine:latest AS bitcoin
 
 ENV BITCOIN_VERSION=27.1
 
-RUN apk --no-cache add git gnupg
+RUN apk --no-cache add wget git gnupg
 
 # Download Bitcoin
-RUN wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/bitcoin-${BITCOIN_VERSION}-$(uname -m)-linux-gnu.tar.gz \
-  && wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS \
-  && wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS.asc
+RUN wget -4 https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/bitcoin-${BITCOIN_VERSION}-$(uname -m)-linux-gnu.tar.gz
+RUN wget -4 https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS
+RUN wget -4 https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS.asc
 
 # Verify all sigs and check for a valid signature from laanwj -- 71A3
 RUN git clone https://github.com/bitcoin-core/guix.sigs && \

orchestration/src/networks/ethereum/consensus/lighthouse.rs

@@ -5,15 +5,15 @@ pub fn lighthouse(network: Network) -> (String, String, String) {
 
   #[rustfmt::skip]
   const DOWNLOAD_LIGHTHOUSE: &str = r#"
-FROM alpine:latest as lighthouse
+FROM alpine:latest AS lighthouse
 
 ENV LIGHTHOUSE_VERSION=5.1.3
 
-RUN apk --no-cache add git gnupg
+RUN apk --no-cache add wget git gnupg
 
 # Download lighthouse
-RUN wget https://github.com/sigp/lighthouse/releases/download/v${LIGHTHOUSE_VERSION}/lighthouse-v${LIGHTHOUSE_VERSION}-$(uname -m)-unknown-linux-gnu.tar.gz
-RUN wget https://github.com/sigp/lighthouse/releases/download/v${LIGHTHOUSE_VERSION}/lighthouse-v${LIGHTHOUSE_VERSION}-$(uname -m)-unknown-linux-gnu.tar.gz.asc
+RUN wget -4 https://github.com/sigp/lighthouse/releases/download/v${LIGHTHOUSE_VERSION}/lighthouse-v${LIGHTHOUSE_VERSION}-$(uname -m)-unknown-linux-gnu.tar.gz
+RUN wget -4 https://github.com/sigp/lighthouse/releases/download/v${LIGHTHOUSE_VERSION}/lighthouse-v${LIGHTHOUSE_VERSION}-$(uname -m)-unknown-linux-gnu.tar.gz.asc
 
 # Verify the signature
 gpg --keyserver keyserver.ubuntu.com --recv-keys 15E66D941F697E28F49381F426416DC3F30674B0

orchestration/src/networks/ethereum/consensus/nimbus.rs

@@ -20,13 +20,15 @@ pub fn nimbus(network: Network) -> (String, String, String) {
 
   #[rustfmt::skip]
   let download_nimbus = format!(r#"
-FROM alpine:latest as nimbus
+FROM alpine:latest AS nimbus
 
 ENV NIMBUS_VERSION=24.3.0
 ENV NIMBUS_COMMIT=dc19b082
 
+RUN apk --no-cache add wget
+
 # Download nimbus
-RUN wget https://github.com/status-im/nimbus-eth2/releases/download/v${{NIMBUS_VERSION}}/nimbus-eth2_Linux_{platform}_${{NIMBUS_VERSION}}_${{NIMBUS_COMMIT}}.tar.gz
+RUN wget -4 https://github.com/status-im/nimbus-eth2/releases/download/v${{NIMBUS_VERSION}}/nimbus-eth2_Linux_{platform}_${{NIMBUS_VERSION}}_${{NIMBUS_COMMIT}}.tar.gz
 
 # Extract nimbus
 RUN tar xvf nimbus-eth2_Linux_{platform}_${{NIMBUS_VERSION}}_${{NIMBUS_COMMIT}}.tar.gz

orchestration/src/networks/ethereum/execution/reth.rs

@@ -5,15 +5,15 @@ pub fn reth(network: Network) -> (String, String, String) {
 
   #[rustfmt::skip]
   const DOWNLOAD_RETH: &str = r#"
-FROM alpine:latest as reth
+FROM alpine:latest AS reth
 
 ENV RETH_VERSION=0.2.0-beta.6
 
-RUN apk --no-cache add git gnupg
+RUN apk --no-cache add wget git gnupg
 
 # Download reth
-RUN wget https://github.com/paradigmxyz/reth/releases/download/v${RETH_VERSION}/reth-v${RETH_VERSION}-$(uname -m)-unknown-linux-gnu.tar.gz
-RUN wget https://github.com/paradigmxyz/reth/releases/download/v${RETH_VERSION}/reth-v${RETH_VERSION}-$(uname -m)-unknown-linux-gnu.tar.gz.asc
+RUN wget -4 https://github.com/paradigmxyz/reth/releases/download/v${RETH_VERSION}/reth-v${RETH_VERSION}-$(uname -m)-unknown-linux-gnu.tar.gz
+RUN wget -4 https://github.com/paradigmxyz/reth/releases/download/v${RETH_VERSION}/reth-v${RETH_VERSION}-$(uname -m)-unknown-linux-gnu.tar.gz.asc
 
 # Verify the signature
 gpg --keyserver keyserver.ubuntu.com --recv-keys A3AE097C89093A124049DF1F5391A3C4100530B4

orchestration/src/networks/monero.rs

@@ -22,12 +22,12 @@ fn monero_internal(
 
   #[rustfmt::skip]
   let download_monero = format!(r#"
-FROM alpine:latest as monero
+FROM alpine:latest AS monero
 
-RUN apk --no-cache add gnupg
+RUN apk --no-cache add wget gnupg
 
 # Download Monero
-RUN wget https://downloads.getmonero.org/cli/monero-linux-{arch}-v{MONERO_VERSION}.tar.bz2
+RUN wget -4 https://downloads.getmonero.org/cli/monero-linux-{arch}-v{MONERO_VERSION}.tar.bz2
 
 # Verify Binary -- fingerprint from https://github.com/monero-project/monero-site/issues/1949
 ADD orchestration/{}/networks/monero/hashes-v{MONERO_VERSION}.txt .

orchestration/src/processor.rs

@@ -2,7 +2,8 @@ use std::path::Path;
 
 use zeroize::Zeroizing;
 
-use ciphersuite::{group::ff::PrimeField, Ciphersuite, Ristretto};
+use dalek_ff_group::Ristretto;
+use ciphersuite::{group::ff::PrimeField, Ciphersuite};
 
 use crate::{Network, Os, mimalloc, os, build_serai_service, write_dockerfile};
 

orchestration/src/serai.rs

@@ -1,7 +1,8 @@
 use std::path::Path;
 
 use zeroize::Zeroizing;
-use ciphersuite::{group::ff::PrimeField, Ciphersuite, Ristretto};
+use dalek_ff_group::Ristretto;
+use ciphersuite::{group::ff::PrimeField, Ciphersuite};
 
 use crate::{Network, Os, mimalloc, os, build_serai_service, write_dockerfile};