Enable OPENSSL_NO_VENDOR by default for rustPlatform (or in-tree rust packages?)

[Aleksanaa]

OPENSSL_NO_VENDOR allows openssl-sys to use the openssl we provide instead of its own included one. This can reduce closure size and (perhaps?) improve security since we only have to track a small number of openssl versions.

However, there is no obvious signs indicating this should be used, unless missing it causes a build failure, or someone check Cargo.toml very carefully. A search on GitHub shows that currently only 63 packages have this environment variable included.

I would like to ask

1. Is this necessary or does the benefits worth using by default?
2. Can we include this environment variable in buildRustPackage by default?
3. Are there other ways to indicate that some packages need to add OPENSSL_NO_VENDOR?

One solution would be going further than vendoring every Cargo.Lock: create a central place to put all cargo packages (being used) and turn them into Nix derivations, so we can deal with this kind of issues easily.

[lolbinarycat]

can you point to where in the openssl crate this option is documented?

[eclairevoyant]

https://github.com/sfackler/rust-openssl/blob/83b3186f5f0c82c28339c2b235b3bb4e5d324b7b/openssl-sys/build/main.rs#L50-L54

https://docs.rs/openssl/latest/openssl/#manual