- Package:
- src:rust-reqwest
- Source:
- rust-reqwest
- Submitter:
- Jonas Smedegaard
- Date:
- 2022-07-08 01:09:05 UTC
- Severity:
- serious
t-reqwest is finally installable. Yay! Unfortunately, the feature rustls-tls has disappeared. Please re-enable support for feature rustls-tls, needed by packages I am preparing for Debian. - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmK4GJ4ACgkQLHwxRsGg ASHHkw/8CJpyEa5k2dowRHlsrVG+u1KfUJZFmCz/k49xrzaDdog8UfdNOw7YQTet NPpgT+EV48I2eKebYAGv1kY1vX+vxKD8CmFhn0TAAlRr8e6LB7/pBeiefsAKfOtT O+UZaO0uMivQuRwyfzx4EzHVRg5sHRDEdKfVVCKDEeyOgz6lv0Y9vmTTKSETY/zB BBTxR0Ow6196SqTk+KH49wyZ2cKIa7nqQoieIpiJ+5RfodIElow/RcgS6wh443md 0zU3RR6BEPA5fVRQ7dRs8J9RNMbsTC5F+DxlvBB+FHTrPrKDCXw4CHrRRwI14mvc f69g/81qGsRM4n0xIZNvG3A49bmzaS6b3xBHUvcCjo2CG4FjbAKeA1mQSg1algSO ycE1E4YQTiw6rBNXiln2/7ErRrD7ISg98LEKV2uJX75GYYleaMapO+PUHijsbC5P BW9sf4yq6mUBfgld8K7hVOvvFhP1eb+1nTK8GvYge5rbqC8QZ1ODmZKgjEFsCYX1 1f+SIKmVhaHDCrKXFO9eU9xv9XGblZjpuMV4cs717mm4iK3X2OHBunXBTkGnRrY+ Fgfae9senYcQ8hYhQ63WkViArB1KCqqAvkZW8Faq4eV8n3V++jsyRXnS95vn/ary puzKnVBpJLcZGyTnay2qghPbkebhV6q7U7eGCbZQt0MFpWoqE/g= =alj6 -----END PGP SIGNATURE-----
Quoting Jonas Smedegaard (2022-06-26 10:28:17) Please ignore that request - I now understand the (to me, at least) relatively cryptic changelog entry, and will patch to instead use feature rustls-native-certs. - Jonas
reopen 1013869 thanks. Sorry if the changelog wasn't clear. I was building a stack of patches with the expectation that some of them would be removed later. reqwest upstream offers several options for tls. native-tls/default-tls (enabled by default): this uses the rust-native-tls crates which on Linux systems means it uses openssl rustls-tls-manual-roots: rustls with the application expected to supply root certificates. rustls-tls-webpki-roots/rustls-tls: rustls with roots from the webpki-roots crate rustls-rls-native-roots: rustls with roots from the operating system certificate store. Presently only the default/native tls option is supported by the Debian package, To enable rustls support with native or manual roots two crates which are not in Debian, tokio-rustls and hyper-rustls. For tokio-rustls Alexander Kjäll prepared a package, which I have just sponsored into NEW. I don't see any evidence that anyone is working on hyper-rustls however. To enable rustls support with webpki roots it would additionally be necessary to re-introduce the rust-webpki-roots package. I personally would be very skeptical about reintroducing it though, having root certificates hardcoded into application binaries is just not something packages in Debian should be doing without an extremely good reason.
Quoting Peter Michael Green (2022-06-26 19:01:04) Not sure what you are saying above. Feature "rustls-native-certs" *is* currently offered. Are you saying that that is broken until either of tokio-rustls or hyper-rustls gets into Debian?!? I agree - which was the reason I closed this bugreport, and instead patched the projct I am preparing to use feature "rustls-native-certs". Fine that you reopen this bugreport if _you_ want to continue tracking this, but since I no longer have a need for reqwest feature "rustls-tls" please then adopt this bugreport - e.g. with `bts owner 1013869 !`. - Jonas
In rust every optional dependency is automatically a "feature" even if it is not actually intended to be used as one by downstream crates. I could have stripped out the rustls stuff completely, in retrospect it would have been less confusing to do it that way, rather than what I did which was going through the unsatisfiable optional dependencies one by one patching out the optional depedency and the features that depend on it. This left some "orphan" optional dependencies which are satisfiable but aren't much use right now. Depending on the "rustls-native-certs" feature is not a route to functioning tls support.
Quoting Peter Michael Green (2022-06-26 23:40:37) Thanks for clarifying. I consider it a *horrific* bug that an interface is explicitly advertised as available, linking against it succeeds, yet it is non-functional. In my opinion this renders the whole package unsuitable for release, and I hereby flag this bugreport as such. Please as a minimum ensure that broken or missing features are *not* advertised by the package. - Jonas
I'll remove the rustls support completely until/unless it can be re-enabled in a sane form. but lets be clear not every "feature" that exists in a rust crate actually provides useful functionality. The "feature" "rustls-native-certs" was never advertised as providing any particular functionality. At this point I have only removed features, I have not changed the functionality of any existing features. Depending on the "feature" "rustls-native-certs" would be just as useless with the unmodified upstream source as it would be with my patched version. Assuming tokio-rustls and hyper-rustls are packaged, I do intend to switch the "rustls-tls" feature from being an alias for "rustls-tls-webpki-roots" to being an alias for "rustls-tls-native-roots" in line with what I believe is appropriate for Debian. Indeed I already have a patch in the package doing that, but the feature is currently removed completely by a patch later in the series.
Quoting plugwash (2022-06-27 03:11:42) Please do. Bogusly advertising a feature not actually provided is what I find horrific here. With this change alone I find it sensible to lower severity of this bugreport back to "normal" (but that is just a suggestion: you as package maintainer has final say in how you treat bugreports for this package). Removing features but continue advertise them as offered (through package names containing "+") is what I consider horrific here. It is arguably correct that you didn't change any *code* but you patched Cargo.toml file to remove upstream-declared dependencies, causing builds to succeed that should have failed. I find it sensible that you choose to skip some features. I am not sure I find it sensible to *redefine* some features to mean something else that upstream, however. If you choose to do that, please consider making such strong deviation *very* clear - e.g. *both* document it in README.Debian and *also* mention it in long description. Let me try clarify my concerns here: I find it problematic generally is that Debian package deviates notably from upstream project without it being explicitly documented. By explicit documentation I don't mean changelog (and certainly not patch files installed next to code) but a README.Debian file. What I then find horrific here is that the vague deviation information hinted in virtual package names is not reliable. Please consider documenting deliberate deviation from upstream in README.Debian, in addition to ensuring that provided package names accurately reflects the features offered by the package. And please reconsider your proposed plan to change features to mean something different from what they are documented upstream to mean - especially when no Debian-specific documentation is offered! Thanks, - Jonas
Quoting plugwash (2022-06-27 03:11:42) hyper-rustls have now been packaged and are pending NEW approval. Please consider postponing removal of rustls support until that NEW processing is done. Thanks for all your work on this, - Jonas
We believe that the bug you reported is fixed in the latest version of
rust-reqwest, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1013869@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Michael Green <plugwash@debian.org> (supplier of updated rust-reqwest package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 07 Jul 2022 22:21:25 +0000
Source: rust-reqwest
Architecture: source
Version: 0.11.11-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
Changed-By: Peter Michael Green <plugwash@debian.org>
Closes: 1013869
Changes:
rust-reqwest (0.11.11-3) unstable; urgency=medium
.
* Team upload.
* Package reqwest 0.11.11 from crates.io using debcargo 2.5.0
* Re-enable proper rustls support (on architectures were rustls is available)
now that hyper-rustls and tokio-rustls are packaged. (Closes: #1013869)
* Don't include provides or autopkgtests for internal features, limit them
to advertised features.
* Add README.Debian documenting the feature situation
* Disable connect_timeout test on s390x, it always seems to fail there.
Checksums-Sha1:
6ec0bd23d0f029c60b8433e08d071fa81b7b5387 3996 rust-reqwest_0.11.11-3.dsc
0dcca1fa0ce226b7ead9e210f5c0dbc26e4928dc 7716 rust-reqwest_0.11.11-3.debian.tar.xz
be652f1dfa1191f6bc39b1a8cc0cd139b4268f4b 12307 rust-reqwest_0.11.11-3_source.buildinfo
Checksums-Sha256:
f7d2dfd4d044de65fadc7e613637adfc27242e8ec4f1e791f4e7c0d012c4bcdd 3996 rust-reqwest_0.11.11-3.dsc
23054cb76472784c177c49445b2bb5e5cf8a9c4d96c86c190caa5f8380b3e22f 7716 rust-reqwest_0.11.11-3.debian.tar.xz
67f69cd5687a316bd041e007408744a480f3ac8914e2b402b32d40dd7789b62a 12307 rust-reqwest_0.11.11-3_source.buildinfo
Files:
354dc2fd3604ef700c3f14f643d7d0b8 3996 rust optional rust-reqwest_0.11.11-3.dsc
05426571c77e755a1881fbb0df82d113 7716 rust optional rust-reqwest_0.11.11-3.debian.tar.xz
edb50ca9865e03ff9423762ecd470da4 12307 rust optional rust-reqwest_0.11.11-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmLHftsUHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XucuA//bKMYgmj9/y5VhdNEApQ4RMNOG2rv
xWsOB7Y/T7J7qDw6+3O2dpii/TtoEwY28/J81aVjNGq/8z9tLHzil3UnQ3Fgi9Dy
mDOIEFvfy+VFPi05/qk2x+UQJF8mYVTRDZ3QPybyQI9szYElhls3rmK2/1PjSoI7
gCAkm7zCbwhGoIvSJ3SJppt6DauJZjx3Bs83kkhIFNhkNNT98ulra9o37FVNgB5q
M5Z72xc5CS45sN4LXSVApjLWBdWZAcvPPFsdmu8QiI8LqRvEp/fPcLn9ItsLUuCQ
zs7PLO37eA0ZEJurjbgQSu1I76/VFa/Ef9wMtK15iIBbbgDv7HSIaaaS85E1uAU7
6wQBFBQ3Ly1IVAIzxlfnf/TrvZi3TIfL3Gia3OfKJf1jR1ntG9QAJ3kILRYJbCn+
++Oot5mrR7vtThUboWHxa3rbuRpkKs3k7pBOnjK/9IOFeIzClr345kwe73SR0FP+
VkXY3I2uSU7b4yLqEbfZsVcu/dKjGpaQ+fpAEFpeTyYVM7iTlUhFLXqkkwIQoGdF
mxsnZ+jTks4sHkk8SrnwkdxuXu+WPKO27G7Fdw9jEeRXz5JRfUF0kCfQTq9nsUP3
lVL84tPiWuOSHQXDxKM21+QLzw5N8zRgQHhTGNZmE8qyDzxI77k6b29yfTuXjdWu
jzp2rjwafhBiC2g=
=dxjG
-----END PGP SIGNATURE-----