tokio-postgres-rustls icon indicating copy to clipboard operation
tokio-postgres-rustls copied to clipboard

Replace `x509-certificate` with `x509-cert`

Open aumetra opened this issue 1 year ago • 2 comments

Closes #20

aumetra avatar May 10 '24 23:05 aumetra

@aumetra / @serprex just bumping for awareness

brooksmtownsend avatar Aug 23 '24 16:08 brooksmtownsend

Neither of us have rights on this repo, it's up to @jbg to merge this PR

serprex avatar Aug 23 '24 17:08 serprex

So, at this point I decided to fork the crate and continue its development under tokio-postgres-rustls2. Hopefully I can sync it back to upstream at some point.

Gonna continue the versioning where this crate took off. Kinda. First version will be 0.13.0, currently got a release candidate, gonna try to get the second open PR integrated in some form.

https://crates.io/crates/tokio-postgres-rustls2

aumetra avatar Oct 11 '24 23:10 aumetra

Whoops. Accidentally closed because I changed stuff with the repo. Will reopen with a full merge of all upstream changes if desired

aumetra avatar Oct 12 '24 00:10 aumetra

Whoops. Accidentally closed because I changed stuff with the repo. Will reopen with a full merge of all upstream changes if desired

Keeping this open would be good. Will your fork include #25?

serprex avatar Oct 12 '24 13:10 serprex

I don't like the solution proposed by the PR, but I want to include something like that in my fork, yes

aumetra avatar Oct 12 '24 13:10 aumetra

Apologies for not getting to this earlier, the recent comments bumped it back up my inbox though. I'd like to understand the reason for replacing the dependency. The MPL 2.0 does not prevent usage in commercial software, and does not require publishing source. You just have to publish source of x509-certificate if you make changes to it. I feel like this change is being made because of misunderstanding of the license which doesn't seem like a good justification to make a change.

jbg avatar Oct 12 '24 14:10 jbg

For me it's less about the license and more because I prefer RustCrypto crates.

I might be biased due to some involvement with the project, but I personally feel like their code is more consistently high quality.

Plus for my dependency tree at least, it had some reduction in dependency count. But again, that's all very subjective from my perspective.

aumetra avatar Oct 12 '24 14:10 aumetra

OK, if x509-cert is higher quality / has a smaller footprint then that seems a perfectly decent reason for the change. I see @brooksmtownsend mentioned that x509-certificate's MPL 2.0 license prevents their organisation from using it due to their policy, which I guess is a problem even if I personally think that policy is overcautious or based on a misunderstanding of the license. So, I will have a quick look over x509-cert and then I think there's no problem with merging this.

jbg avatar Oct 12 '24 14:10 jbg

By the way, I'd be happy to support you in maintaining this crate since I depend on it for a project of mine.

When we merge this, I would also put in a few other PRs that get rid of a few allocations, and make most of the API private.

Also a slightly better solution to supporting multiple crypto backends than proposed by #25

aumetra avatar Oct 12 '24 14:10 aumetra

Just for clarity, we already support multiple rustls crypto backends, and don't force any particular one to be chosen (except in tests where we have to pick one to run the tests with). #25 is just about the crate that is used for digests for doing the pg channel binding. TBH, I'd be tempted to just use some pure-Rust digest crate from RustCrypto rather than make it switchable between two crates that do a lot more than digests.

jbg avatar Oct 12 '24 14:10 jbg

I'll echo @aumetra's sentiment about preference for the Rust Crypto ecosystem, but also note that from a CNCF project perspective, MPL 2.0 isn't on the list of allowed licenses, and while there's a process for requesting exceptions, it's quite toilsome and drawn out, which definitely incentives using licenses that align with CNCF's guidance.

joonas avatar Oct 12 '24 14:10 joonas

@aumetra I'm unable to re-open this as the source repository has been deleted — are you able to reinstate the source repository (or file a new PR if that's not possible)?

jbg avatar Oct 12 '24 14:10 jbg

Will do as soon as I'm at a computer

aumetra avatar Oct 12 '24 15:10 aumetra

Donezo. Opened a PR that addresses your review

aumetra avatar Oct 14 '24 23:10 aumetra