-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decide what to do about rustls defaulting to aws-lc-rs instead of ring #751
Comments
Hi @Diggsey, welcome to ureq! I haven't made up my mind on how to deal with this situation. ureq was built on the idea of having very few dependencies. When
I've had no ureq user asking for us to upgrade to rustls 0.23 – obviously just a matter of time though. I hope we can stall and have a clearer way forward once the dust settles. |
Just on this point, I don't see any direct use of |
Updated my above comment to reflect this. |
Right, all If you don't want users of |
Libraries in general should always be passing |
Yeah. I know.
That doesn't work because it make ureq unusable "out of the box". If you depend on ureq, you'd additional have to depend on rustls with a selection of backend, or ureq won't compile. I think we'll go with the advice here:
|
You can re-expose the features from |
True, I'm just not convinced I want to introduce more feature flags unless I absolutely have to. ureq is > 1.x.x, which means there's a kind of "contract" to be non-breaking. It's also |
Having read up some more on I always thought Rustls ambition was to provide a "pure Rust" TLS implementation. The original README said "Rustls is a modern TLS library written in Rust". However, I clearly read things into that which was never stated. With ring, it was of course never pure (it's a mix of asm/C/Rust) and from my limited understanding of crypto, many of the optimizations required for modern crypto primitives are hand written assembly, which will take a long time, if ever, to replace with any Rust equivalent (or at least the asm! macro). However I used to believe Rustls ambition was to aim towards a pure Rust TLS library. From my (extremely Rust centric) view, For me, cmake, nasm and golang (uhm, lol?) as build requirement (yes I know golang is only for FIPS) moves rustls much further away from any "pure Rust" ideals – but then again, that was probably never the goal. |
Did you mean to post this on the other other issue? (I agree completely btw) |
No, I don't have the emotional bandwidth to engage and argue a case. In the other thread someone already said that it's about different prioritizations – which is of course true. I also know that everyone involved in rustls are deeply invested in Rust in many different projects. They are closer to this problem and likely have different prioritizations than me. My comment is to document this for ureq's side, where I do get to pick the priorities. I'm perplexed (and sad), that a project I rate very highly took this turn, but I also don't have any choice that is more closely aligned with what I want. It is what it is. |
Closing since we're moving to ureq 3.x. |
rustls
now requiresaws-lc
as a default dependency, which doesn't build without a load of extra dependencies. This crate should specifydefault-features = false
so that end users can continue to use thering
backend ofrustls
The text was updated successfully, but these errors were encountered: