Cargo appears to leak SSL_CERT_FILE and SSL_CERT_DIR to subprocesses #3676
Comments
|
Looks like its probably a dependency doing this (maybe libcurl?). Might be a bit awkward to deal with, but we could maybe snapshot the environment on startup and feed that to subprocesses? |
|
Oh right, it's openssl-probe. |
|
Yeah I'm ~100% sure openssl-probe would be doing this. I had no idea this could lead to bugs... @nathanaeljones for background on this there's a very long comment explaining what's going on, but the general gist is that we're shipping a statically linked OpenSSL so it's up to Cargo to find ssl certs for a system (normally this is configured by a distro). In doing so the only way we've found at least so far is to initialize through env vars, which is then causing this to leak into child processes. |
|
Got bit by this in #4002 |
|
Instead of overriding the environment, cargo should use |
|
@jethrogb this is all mediated through curl which AFAIK doesn't expose that. |
|
Sure it does, you just need to set |
|
PRs are of course always welcome to patch this up! This isn't intentional, it's just a side effect of how things are implemented today. |
|
Those environment variables will still affect anything downstream using curl. |
carols10cents
added
A-cargo-api
I have not personally confirmed that this is the case, but I'm betting it's the cause of sfackler/rust-openssl#575
cc #2888
The text was updated successfully, but these errors were encountered: