Open nejucomo opened 3 months ago
I began a PR to try this by simply adding rustls-tls
to reqwest
feature flags, and I hit a snag:
$ cargo check
error: failed to select a version for `subtle`.
... required by package `rustls v0.22.2`
... which satisfies dependency `rustls = "^0.22.2"` of package `reqwest v0.12.4`
... which satisfies dependency `reqwest = "^0.12"` (locked to 0.12.4) of package `zingolib v0.2.0 (/home/user/src/github.com/zingolabs/zingolib/zingolib)`
... which satisfies path dependency `zingolib` (locked to 0.2.0) of package `darkside-tests v0.1.0 (/home/user/src/github.com/zingolabs/zingolib/darkside-tests)`
versions that meet the requirements `^2.5.0` are: 2.5.0
all possible versions conflict with previously selected packages.
previously selected package `subtle v2.4.1`
... which satisfies dependency `subtle = "^2.3"` (locked to 2.4.1) of package `orchard v0.8.0`
... which satisfies dependency `orchard = "^0.8"` (locked to 0.8.0) of package `darkside-tests v0.1.0 (/home/user/src/github.com/zingolabs/zingolib/darkside-tests)`
failed to select a version for `subtle` which could resolve this conflict
I have tried a variety of dependency version tweaks to get around this. Downgrading reqwest
to ^0.11
resolves this transitive version conflict, but the resulting build still relies on openssl-sys
, so I'm unsure how to proceed.
Summary
Across the whole workspace, there are two TLS crates (
rustls
andopenssl-sys
) and 3 distinct versions used (shown below). One improvement would be to use a single crate. Another improvement would be to use a single version of a single crate (to minimize the "bug / security issue window").Selecting a Single Crate
My understanding of these two options are:
openssl
- wrapslibopenssl
. Pros: ancient well-trodden library (many contributors, long lineage). Cons: ancient code written in memory unsafe language. Requires platform support to build the workspace (see below).rustls
- a pure rust implementation of TLS. Pros: newer code with less complexity thanopenssl
. Written in rust, benefiting from safety features. Builds withcargo
without any platform-specific support. Cons: younger thanopenssl
. Maybe less eyes / scrutiny? (I'm not sure; I have the impression large portions of rust ecosystem rely on it.)My personal recommendation would be to rely only on
rustls
primarily because of rust's safety features and a newer leaner code base.Pinning a Single Version
I haven't investigated how to get the workspace to (transitively) depend on a single
rustls
version yet.Analysis
How to Remove
openssl-sys
It looks like the only thing depending on
openssl-sys
from this workspace is transitively viareqwest
which has a feature flag to userustls
instead of "native" implementations:rustls-tls
So I think the fix is a one-liner to add that feature.
Discovery
I discovered this issue by cloning the repo then doing
cargo build
on anix
system which was configured only to build pure rust projects without any "system" dependencies. The build failure comes from abuild.rs
script failing to invokepkg-config
which is a standard linux utility to query for C library paths / metadata: