tealdeer: rustls -> native-tls #346497
tealdeer: rustls -> native-tls #346497
Conversation
ofborg
bot
added
11.by: package-maintainer
|
It seems like Rustls is the upstream default and what they build their own releases with. I think sticking with the memory‐safe implementation makes more sense without a strong reason to diverge from that. |
pkgs/tools/misc/tealdeer/default.nix
Outdated
| cargoBuildFlags = [ | ||
| # use OpenSSL for the TLS backend instead of the default rustls | ||
| "--no-default-features" | ||
| "--features=native-tls" | ||
| ]; |
There was a problem hiding this comment.
| cargoBuildFlags = [ | |
| # use OpenSSL for the TLS backend instead of the default rustls | |
| "--no-default-features" | |
| "--features=native-tls" | |
| ]; | |
| buildNoDefaultFeatures = true; | |
| buildFeatures = [ "native-tls" ]; |
newAM
force-pushed
the
tealdeer-openssl
branch
from
9f7e3b3
to
8b7199f
Compare
I do not think it's fair to call rustls memory safe, it depends on the ring crate which is largely ASM on x86_64 for performance reasons. The rationale is that the binary sizes are substantially smaller with libssl, which is almost always already on the system since nix itself links it. Measurements are in the original post. |
|
Well, it’s memory safe in the sense that all Rust is: the bulk of the code involving gnarly and vulnerability‐prone stuff like X.509 parsing etc. is written in a memory‐safe dialect, but at the bottom there are of course primitives that need to be trusted. Cryptography primitives are usually not especially high‐risk for memory safety, since they tend to operate on fixed blocks with known bounds. I don’t think that shaving off a megabyte is worth the sacrifice here without another reason to diverge from upstream to use something less safe. |
|
Would a flag in the package args be a possible solution? There's still the need to agree on whether it should be opt-in or opt-out, but at least it would leave the choice in the hands of the users who care enough to look for it |
|
If there’s a meaningful functionality difference for users (e.g. more protocol versions supported with OpenSSL?), then that could be reasonable. I don’t think we should just delegate every packaging decision to users, though, especially ones trading off memory safety for a megabyte of storage. The upstream change that added |
|
I think it makes more sense to stick to the upstream default when it doesn't break functionality. If you really care about this, you can add an option to achieve it. |
|
I'm happy to accept the consensus that it's better off with rustls, thanks everyone for the discussion! |
Things done
The recent tealdeer v1.7.0 release added support for the
native-tlscrate which dynamically links libssl on Linux instead of therustlscrate.This change reduces the
tldrbinary size:nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.