tokio-postgres-rustls
tokio-postgres-rustls copied to clipboard
jbg
Replace `x509-certificate` with `x509-cert`
So, at this point I decided to fork the crate and continue its development under tokio-postgres-rustls2.
Hopefully I can sync it back to upstream at some point.
Gonna continue the versioning where this crate took off. Kinda. First version will be 0.13.0, currently got a release candidate, gonna try to get the second open PR integrated in some form.
https://crates.io/crates/tokio-postgres-rustls2
Whoops. Accidentally closed because I changed stuff with the repo. Will reopen with a full merge of all upstream changes if desired
Whoops. Accidentally closed because I changed stuff with the repo. Will reopen with a full merge of all upstream changes if desired
Keeping this open would be good. Will your fork include #25?
I don't like the solution proposed by the PR, but I want to include something like that in my fork, yes
Apologies for not getting to this earlier, the recent comments bumped it back up my inbox though. I'd like to understand the reason for replacing the dependency. The MPL 2.0 does not prevent usage in commercial software, and does not require publishing source. You just have to publish source of x509-certificate if you make changes to it. I feel like this change is being made because of misunderstanding of the license which doesn't seem like a good justification to make a change.
For me it's less about the license and more because I prefer RustCrypto crates.
I might be biased due to some involvement with the project, but I personally feel like their code is more consistently high quality.
Plus for my dependency tree at least, it had some reduction in dependency count. But again, that's all very subjective from my perspective.
OK, if x509-cert is higher quality / has a smaller footprint then that seems a perfectly decent reason for the change. I see @brooksmtownsend mentioned that x509-certificate's MPL 2.0 license prevents their organisation from using it due to their policy, which I guess is a problem even if I personally think that policy is overcautious or based on a misunderstanding of the license. So, I will have a quick look over x509-cert and then I think there's no problem with merging this.
By the way, I'd be happy to support you in maintaining this crate since I depend on it for a project of mine.
When we merge this, I would also put in a few other PRs that get rid of a few allocations, and make most of the API private.
Also a slightly better solution to supporting multiple crypto backends than proposed by #25
Just for clarity, we already support multiple rustls crypto backends, and don't force any particular one to be chosen (except in tests where we have to pick one to run the tests with). #25 is just about the crate that is used for digests for doing the pg channel binding. TBH, I'd be tempted to just use some pure-Rust digest crate from RustCrypto rather than make it switchable between two crates that do a lot more than digests.
I'll echo @aumetra's sentiment about preference for the Rust Crypto ecosystem, but also note that from a CNCF project perspective, MPL 2.0 isn't on the list of allowed licenses, and while there's a process for requesting exceptions, it's quite toilsome and drawn out, which definitely incentives using licenses that align with CNCF's guidance.
@aumetra I'm unable to re-open this as the source repository has been deleted — are you able to reinstate the source repository (or file a new PR if that's not possible)?