Using rustls instead of openssl?

[ajalexei]

I wonder whether library might be a viable substitute/alternative for openssl dependence? This would make gitui completely implemented in rust without any external dependencies.

[extrawurst]

Switching to rustls would be nice but since it keeps being dependent on libgit2 it will not be rust-only then by a long shot

[ajalexei]

Thanks a prompt reply.
Hmm, I overlooked that -- where is the libgit2 hidden? A quick look at the dependencies only gives ring that has some C-code.

[extrawurst]

It’s coming in via the git2 crate

[ajalexei]

Thanks. However "cargo tree (--features ring,tls12,aws_lc-rs)" does not list any git related crates for the rustls 0.22.2 release. What am I missing?

[extrawurst]

here is the upstream issue: https://github.com/rust-lang/git2-rs/issues/623#issuecomment-1956957013

[Shnatsel]

It’s coming in via the git2 crate

Not as much "coming" as "people keep asking for it but it's unlikely to happen" given that the upstream libgit2 is barely maintained.

In order to migrate cargo audit to rustls we ported it to gitoxide. It also spared us some memory safety vulnerabilities, e.g. CVE-2024-24575 and CVE-2024-24577.

[extrawurst]

given that the upstream libgit2 is barely maintained

I think you mean git2-rs, right? libgit2 is highly active and git2-rs is just a wrapper so there is not much maintenance needed.

we ported it to gitoxide

I whish this was an option for gitui too, but for that its just not feature complete enough yet. but maybe the over-the-wire-features from gitoxide while using git2-rs for the rest would be an option