-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: use rustls for TLS instead of relying on openssl #754
Conversation
Oh there we go, I had to set So I'm not sure if this is possible, but if for some reason you'd like to continue to produce builds linked to openssl, I'm wondering if it can be put behind a Volta feature. Rustls definitely simplifies the build - it doesn't require |
Aw, I see some nontrivial build failures regarding building assembly in @charlespierce If you like this PR, I can take a further look. |
Thanks for starting to look into this @joshuarli! OpenSSL compatibility was a big pain to figure out, so moving away from that is definitely interesting to prevent having to revisit that whole situation again. That said, when we've evaluated in the past, there are a couple of concerns that we have:
So for those reasons, we haven't yet committed to a statically linked approach, though I'd be more than happy to have an RFC / Issue discussion around the pros and cons. |
Yup, I'm aware that rustls doesn't have the "in-the-wild" experience and industry backing as OpenSSL. Looking forward to that security audit, I think Rust in general will benefit greatly with a solid TLS alternative that can be statically included. Let's let this PR stew for a while, I'm unsure if there are many other Volta users right now who care about this. And haha yeah, I can see the pain in your CI configs. |
@charlespierce Looks like the audit was just completed, refer to the issue you linked for updates. Results seem very positive. That said, it seems to be mostly a 1-person project, so I would hold out on it a little longer to see how healthy maintainership is. Or, I'm happy to take a stab at providing CI configurations to optionally build, test and release rustls versions behind a volta feature flag. |
@joshuarli I think a Rust feature flag makes sense. I'm not sure of how we would deploy it as a built, but since (I believe) switching mainly involves changing a feature flag in the A step beyond that, if you are interested, would be to build a |
I think you answered that yourself in the 2nd paragraph? Build + test + release in CI. Sounds like this is welcome, I'll toss a PR your way sometime soon. |
FYI: I changed the default branch for this repo from |
Looking at this more @charlespierce, my current knowledge of Cargo manifests falls short on how to implement this. I think this issue (rust-lang/cargo#5954) accurately describes the blocker. |
@joshuarli In this case, since we already depend on
If that all works the way I think it should, then running |
Closing; see #809. |
It'd be nice to ship more static binaries. Currently, release binaries for Linux are linked to various openssl versions, which can make it a little harder to add Volta to CI pipelines. Travis Xenial, for example, has openssl 1.0, so if for some reason someone wanted 1.1, they'd have to build the SO themselves and do some ld env var tweaking.
You can ignore this for now, I'm trying to see if I can update the lockfile to only see the addedrustls
and removedopenssl-sys
somehow without upgrading all transient deps (removingCargo.lock
and regenerating it).I think in theory simply adding thetls-rustls
feature and rebuilding would have updated the lockfile as expected, but it doesn't seem to be the case... perhaps the oldtls
feature is still there? Not sure right now, will look into it later.Even if I regenerated the lockfile, it still tries to buildopenssl-sys
.