This is problematic in projects that want to use Rustls with (only) the native roots and have cloudflare as dependency because the rustls-tls feature actually resolves to rustls-tls-webpki-roots.
Even more so, if a project uses cloudflare as dependency with the rustls-tls feature (which, as mentioned, resolves to rustls-tls-webpki-roots) and itself uses reqwest with the rustls-tls-native-roots feature, reqwest will actually use the root certificates from both sources with Rustls because of how Cargo's feature unification works where the union of all enabled features is used on that dependency when building it.
cloudflare'sreqwestdependency offers various optional features to control which root certificates are used by reqwest. While some features such asdefault-tlsandrustls-tlshave corresponding features in cloudflare's Cargo.toml, the more fine-grainedrustls-tls-native-roots(andrustls-tls-webpki-roots) are currently not supported.This is problematic in projects that want to use Rustls with (only) the native roots and have
cloudflareas dependency because therustls-tlsfeature actually resolves torustls-tls-webpki-roots.Even more so, if a project uses
cloudflareas dependency with therustls-tlsfeature (which, as mentioned, resolves torustls-tls-webpki-roots) and itself usesreqwestwith therustls-tls-native-rootsfeature, reqwest will actually use the root certificates from both sources with Rustls because of how Cargo's feature unification works where the union of all enabled features is used on that dependency when building it.