search

carllerche / tower-web

A fast, boilerplate free, web framework for Rust
MIT License
980 stars 51 forks source link

Bump tokio-ruslts to 0.9.0 #182

Open chastabor opened 5 years ago

carllerche commented 5 years ago

Would this be a breaking change to tower-web?

chastabor commented 5 years ago

That is a good question.

Since we don't export tokio-rustls, like in our rustls example -- which I just now noticed, a tower-web library user would have had to include the tokio-rustls library in their Cargo.toml file in order to load their certs; thus they would have to bump their version of tokio-ruslts up to 0.9.0 as well in their Cargo.toml file. The reason for this is that we cannot have different versions of the ring library (I'm not sure why that is the case)

If you are using any other libraries like jasonwebtoken, tokio-rustls, and hyper-rustls in your code, which have a dependency on the ring library, then your code will not compile until you match up all the libraries to use the same version of the ring library. One problem with this is that not everyone maintains their libraries at the same time to utilize the newer version of the ring library; so you can be stuck using an older version until that library you want finally utilizes the latest ring library.

An example of the type of breaking changes that can occur: In the past I would just bump up my versions to match and haven't encountered any breaking changes. This time around, however, I had some code that was using ring::aead functions to encrypt cookies. Since they changed their function signatures to use Nonce and Aad types instead of more generic [u8], I had to modify my application, which is a breaking change for my server code, but not for tower-web in general.

I think for the most part one thing we can do to help eliminate Cargo.toml library bumps (like what would happen in our rustls example) is to export out the version of tokio-rustls we are using in tower-web, and then rework the example to use that. That way the end user can do something similar and they don't have to put a version of tokio-rustls in their Cargo.toml file. If they are just using the rustls feature we are providing in tower-web to manage SSL certs, then there will be no breaking changes. I haven't exported other library features before, but can look into it as I think I've seen that done with hyper-rustls.

As for library clients that are also using other ring dependent libraries like the jsonwebtoken library I'm using in my application, I'm not sure what is possible to make this simpler for them.

carllerche commented 5 years ago

Unfortunately, it does look like it would be a breaking change... tower-web provides implementation for tokio-rustls 0.8 types. Bumping the version would remove those impls.

The two options are to wait until a breaking tower-web release happens or to add a feature flag for tokio-ruslts-0-9.