extrawurst / gitui

Blazing 💥 fast terminal-ui for git written in rust 🦀
MIT License
18.58k stars 573 forks source link

Using rustls instead of openssl? #2004

Open ajalexei opened 10 months ago

ajalexei commented 10 months ago

I wonder whether rustls library might be a viable substitute/alternative for openssl dependence? This would make gitui completely implemented in rust without any external dependencies.

extrawurst commented 10 months ago

Switching to rustls would be nice but since it keeps being dependent on libgit2 it will not be rust-only then by a long shot

ajalexei commented 10 months ago

Thanks a prompt reply.
Hmm, I overlooked that -- where is the libgit2 hidden? A quick look at the dependencies only gives ring that has some C-code.

extrawurst commented 10 months ago

It’s coming in via the git2 crate

ajalexei commented 10 months ago

Thanks. However "cargo tree (--features ring,tls12,aws_lc-rs)" does not list any git related crates for the rustls 0.22.2 release. What am I missing?

extrawurst commented 8 months ago

here is the upstream issue: https://github.com/rust-lang/git2-rs/issues/623#issuecomment-1956957013

Shnatsel commented 8 months ago

It’s coming in via the git2 crate

Not as much "coming" as "people keep asking for it but it's unlikely to happen" given that the upstream libgit2 is barely maintained.

In order to migrate cargo audit to rustls we ported it to gitoxide. It also spared us some memory safety vulnerabilities, e.g. CVE-2024-24575 and CVE-2024-24577.

extrawurst commented 8 months ago

given that the upstream libgit2 is barely maintained

I think you mean git2-rs, right? libgit2 is highly active and git2-rs is just a wrapper so there is not much maintenance needed.

we ported it to gitoxide

I whish this was an option for gitui too, but for that its just not feature complete enough yet. but maybe the over-the-wire-features from gitoxide while using git2-rs for the rest would be an option