Open str4d opened 1 year ago
I'm aware of this. How do you think we should address it? (Did you end up in a state where you're using a newer version of tokio-rustls, or just consuming the mainline README while using an older version of the relevant crates? Do you not update crates regularly?)
What happened is I upgraded a binary project from tonic 0.9
to tonic 0.10
, in which the feature flag tls-webpki-roots
is enabled. That update did not change the tokio-rustls
version, so the versions of both that and rustls
in my Cargo.lock
remained at the version it was at when I added the tonic 0.9
. It did however include the migration away from the deprecated rustls
API (https://github.com/hyperium/tonic/pull/1443).
The "minimum correct fix" would have been for tonic
to add a direct dependency on rustls = "0.21.6"
, ensuring the API they use is available. But that also applies to every downstream of this crate. If this crate had made that dependency bump when its examples were bumped, then all downstream consumers of this crate would have automatically handled the issue. But that is somewhat by happenstance; it would have been technically fine for this crate to have its 0.21.0
bound, as long as its examples were still recommending the older deprecated API (then downstreams would be doing something this crate didn't recommend).
This is one of those weird issues caused by crates re-exporting the public APIs of their dependencies; there is no way to easily constrain minimum patch updates of transient dependencies of a crate, without adding a direct dependency on that transient dependency, and while it's obvious in this case, it's not generally obvious that the re-exported API is not controlled by the patch revision of the re-exporting crate.
For this crate, I think it would be fine to just ensure that any compiling code in this repository (including examples) is using APIs that are part of the minimum versions selected for the crate's dependencies. If, for example, a Cargo.lock
file had been checked in (as the new Cargo team guidance allows for), then this issue would likely have been discovered at the time the examples were updated, and the fact that the Cargo.lock
file required a bump to get examples compiling would be a good indication that the Cargo.toml
file also needed bumping.
I've opened https://github.com/hyperium/tonic/issues/1510 about fixing the downstream instance of this issue that hit me.
I am seeing unresolved imports tokio_rustls::rustls::OwnedTrustAnchor, tokio_rustls::rustls::ServerName
while trying to compile the example code today. Also a lot of errors related to missing webpki_roots
which I am not sure if I should pull it separately to compile examples. This is fairly confusing.
You probably have a version mismatch between rustls and tokio-rustls versions.
The README has this example code: https://github.com/rustls/tokio-rustls/blob/63b8d6f10392c1e7a1c81cf3c526c4d4054ff71d/README.md?plain=1#L22-L23
This API was added in
rustls 0.21.6
. However,Cargo.toml
(for the latest published release) only requirerustls 0.21.0
, leading to compilation errors if someone updatestokio-rustls
without also updating therustls
point release (and the error message does not make it obvious that this is the solution).