feat: native TLS#1541
Conversation
roderickvd
force-pushed
the
feat/native-tls
branch
from
a3e3017 to
f09ab81
Compare
|
Do you know of act? I can highly recommend it if you have to debug the ci/cross-compile section. For it to work with act you have to make some adjustments found here dev...photovoltex:librespot:add-stages-for-act (maybe you also had to use a different image, I can't remember quite anymore tho). |
- Split workflows into focused files (quality, cross-compile, build) - Replace manual SSL setup with rust-cross action for ARM/RISC-V builds - Consolidate Linux/Windows testing into single matrix job - Switch to specialized rust-cache and best-practice actions - Simplify clippy strategy to single comprehensive command - Add debug artifact publishing for all platforms - Fix YAML lint issues and improve formatting - Remove workflow dependencies for parallel execution
I didn't and that does sound worth looking into to. As you can see, going down the rabbit hole now... opportunistically refactoring the workflow definitions too. If and when this passes, question is: do we want to always rely on native TLS? Or do we want to have features to opt for something else too? As commented here, when you go for any form of rustls today, then you will automatically get webpki bundled through |
Thanks for looking into that, tho I can fully understand the initial decision to use webpki instead of native. Looking back at some changes around the topic I found #1402. So we probably still need to provide a alternative with webpki. I would probably go for a feature instead of conditional compilation as this should be an explicit choice. |
|
Yeah. And besides choice and explicitness I think I’m going to stop fighting the CI for Ubuntu not providing So probably a feature flag |
|
Hey, I know about the WIP state, but I tried to test it anyway. I downloaded and unzipped the artifacts "librespot-linux-aarch64-1.85" and "librespot-linux-aarch64-stable" from https://github.com/librespot-org/librespot/actions/runs/17026346100 I tried to symlink the libs But there is some hard dependency to deprecated versions 1.0.0 of libcrypto and libssl: |
|
This is one reason when we discussed before not to publish artifacts: we could be swamped with support requests for these kind of dynamic linking problems stemming from different distributions, versions, etcetera. Not a criticism to you @RafaelKa but a reminder why we might not want to do this. |
But you'll publish the artifacts/binaries to releases? |
|
No, we’ve always left that to downstream distributions. |
- Remove default features from core and oauth crates - Move compile-time feature checks from core to oauth - Update CI workflows to build with default features and clarify artifact names - Separate rustls-tls build for riscv64gc target in cross-compile workflow
- Split cargo-hack checks and clippy runs into separate steps for TLS options - Simplify artifact naming in cross-compile workflow - Update RISC-V target to use rustls-tls and remove OpenSSL steps
|
Btw. you still want that to include this in 0.7, right? Can you request my review if you are done with it, so I can take a final look? |
|
Yes, that'd be great. I'll tag you when ready. I may just have found a way to have default features in the workspace members after all... sorry not sorry for the major |
Move dependency paths and versions to workspace, update feature propagation, and clean up per-crate Cargo.toml files for consistency. This also enables default features for workspace members.
photovoltex
left a comment
photovoltex
left a comment
There was a problem hiding this comment.
Seems overall good, just some minor thoughts here and there that came up during review :)
|
I checked |
…lt (librespot-org#1541) Add support for choosing between native-tls and rustls-tls backends through feature flags, with native-tls as the default for maximum platform compatibility. Key changes: - Add mutually exclusive native-tls and rustls-tls feature flags - Use conditional compilation to select TLS implementation - Configure rustls-tls with platform certificate verifier - Refactor to workspace-based dependency management - Update CI workflows with improved cross-compilation support - Add comprehensive TLS backend documentation The native-tls backend uses system TLS libraries (OpenSSL on Linux, Secure Transport on macOS, SChannel on Windows) while rustls-tls provides a pure Rust implementation with platform certificate stores.
…lt (librespot-org#1541) Add support for choosing between native-tls and rustls-tls backends through feature flags, with native-tls as the default for maximum platform compatibility. Key changes: - Add mutually exclusive native-tls and rustls-tls feature flags - Use conditional compilation to select TLS implementation - Configure rustls-tls with platform certificate verifier - Refactor to workspace-based dependency management - Update CI workflows with improved cross-compilation support - Add comprehensive TLS backend documentation The native-tls backend uses system TLS libraries (OpenSSL on Linux, Secure Transport on macOS, SChannel on Windows) while rustls-tls provides a pure Rust implementation with platform certificate stores.
Maybe we're lucky and the latest Rust ecosystem is allowing us to switch to native TLS easily.
This PR switches from rustls and ring to native TLS on all platforms.
Fixes #1158