Skip to content

fix(deps): vendored OpenSSL for cross-Linux + portable build#173

Merged
7xuanlu merged 4 commits into
mainfrom
worktree-fix+openssl-vendored
May 25, 2026
Merged

fix(deps): vendored OpenSSL for cross-Linux + portable build#173
7xuanlu merged 4 commits into
mainfrom
worktree-fix+openssl-vendored

Conversation

@7xuanlu
Copy link
Copy Markdown
Owner

@7xuanlu 7xuanlu commented May 24, 2026

Summary

cross 0.2.5's Linux container has a system OpenSSL too old for openssl-sys 0.9.x. Installing libssl-dev didn't help (wrong version, not missing).

Switch to vendored OpenSSL: openssl-sys builds OpenSSL from source as part of the build, no system dep, no version matrix to chase.

  • Workspace Cargo.toml: declare `openssl = { version = "0.10", features = ["vendored"] }`.
  • origin-server pulls it as direct dep (engages cargo feature unification — every transitive consumer of openssl-sys gets `vendored`).
  • Cargo.lock adds `openssl-src v300.6.0+3.6.2` (the bundled OpenSSL source).

After this lands, v0.7.0 tag must be moved forward to include the new Cargo.toml + Cargo.lock so workflow_dispatch checkout sees them.

Test plan

  • `cargo check -p origin-server` builds clean locally with vendored.
  • `scripts/validate-versions.sh` still passes.
  • CI on this PR (fmt/lint/test on 3 OSes).
  • After merge + tag-move: `gh workflow run release.yml --field tag=v0.7.0`.

7xuanlu and others added 4 commits May 24, 2026 15:24
@7xuanlu @claude
fix(deps): use vendored OpenSSL so cross-Linux + future platforms build
5f4a872 
openssl-sys is pulled transitively (fastembed → hf-hub → native-tls →
openssl-sys). The cross 0.2.5 Linux container's system OpenSSL is too
old for openssl-sys 0.9.x ("This crate is only compatible with OpenSSL
1.1.0, 1.1.1, or 3.x"). Installing libssl-dev in the container did not
help because the version is wrong, not missing.

Bypass system OpenSSL entirely with the cargo `vendored` feature on
`openssl`. It builds OpenSSL from source as part of the build. Cargo
feature unification turns it on for every transitive consumer once any
workspace member declares it. `origin-server` is the carrier: it never
calls `openssl` directly but its presence in the graph engages the
feature.

Trade-off: ~30s extra build time per target. Net: universal portability,
no system-OpenSSL ABI matrix to chase.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@7xuanlu @claude
test(cli): drop origin-darwin-x64 from distribution audit
e566c2a 
PR #168 removed `x86_64-apple-darwin` from the release.yml matrix
because ort 2.x has no Intel-Mac prebuilt. The distribution test that
guards the matrix wasn't updated and now panics with
`release workflow missing origin-darwin-x64`.

Re-add the target here when ONNX builds from source or `ort-tract`
becomes viable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@7xuanlu
Merge branch 'main' into worktree-fix+openssl-vendored
5e1ccd6
@7xuanlu @claude
fix(ci): drop libssl-dev pre-build in cross step
9be4913 
When openssl-sys finds any system OpenSSL it short-circuits before
checking the `vendored` cargo feature. The previous `apt-get install
libssl-dev` made cross's Ubuntu 16.04 OpenSSL 1.0.2 visible to the
build script, which then rejected it ("This crate is only compatible
with OpenSSL 1.1.0+/3.x") instead of falling back to vendored.

Workspace `openssl/vendored` now compiles OpenSSL 3.x from source via
`openssl-src`, so the container needs no openssl packages at all.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@7xuanlu 7xuanlu merged commit 597c1c3 into main May 25, 2026
9 checks passed
This was referenced May 24, 2026
Open
Merged
7xuanlu added a commit that referenced this pull request May 25, 2026
@7xuanlu @claude
fix(deps): declare openssl-sys directly with vendored feature (#179)
46890e7 
* fix(deps): declare openssl-sys directly with vendored feature

The previous attempt (PR #173) routed vendored through the `openssl`
wrapper crate. `cargo tree -e features` locally confirmed
`openssl-sys feature "vendored"` was in the resolved graph, yet the
cross-container build kept running openssl-sys's pkg-config probe and
failing on the container's stale OpenSSL 1.0.2.

Probable cause: cross's multi-package build invokes cargo with a
specific resolver behavior that picks up native-tls's un-featured
openssl-sys path before the openssl-wrapper's featured one.

Declare openssl-sys directly in the workspace, then pull it into
origin-server with `workspace = true`. The feature lands on the crate
that actually has the build script, no wrapper-crate routing needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(deps): rustls everywhere + openssl-sys vendored (belt + suspenders)

Per cross-rs/cross#510: when transitive deps drag native-tls into the
graph and cross's container has stale OpenSSL, the canonical fixes are
(a) switch the offenders to rustls, or (b) vendor openssl-sys. Both
turn out to be needed here because fastembed/hf-hub feature unification
fights us: even with `hf-hub-rustls-tls` selected on fastembed, hf-hub
still drags native-tls through the union of features on the unified
hf-hub crate.

Belt:
- reqwest workspace dep: `default-features = false, features =
  ["json", "rustls-tls"]`. Drops native-tls from origin-core's direct
  reqwest path.
- fastembed workspace dep: `default-features = false, features =
  ["hf-hub", "hf-hub-rustls-tls", "image-models",
  "ort-download-binaries-rustls-tls"]`. Picks the rustls variants of
  the two TLS-aware fastembed features.

Suspenders:
- workspace `openssl-sys = { version = "0.9", features = ["vendored"] }`,
  pulled into origin-server with `workspace = true`. Forces openssl-sys
  itself (the build-script-bearing crate) to compile OpenSSL 3.x from
  source via `openssl-src`. cargo tree -e features confirms
  `openssl-sys feature "vendored"` resolves; openssl-src is in
  Cargo.lock.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7xuanlu added a commit that referenced this pull request May 25, 2026
@7xuanlu @claude
Merge origin/main into worktree-feature+eval-foundations-p0a
109e506 
Resolves conflict in Cargo.toml [workspace.dependencies] where P0a's
`fs2 = "0.4"` collided with main's new `[profile.release]` block from
the CI-throughput tune (PRs #173/#179/#182/#184/#185/#186 wave).

Brings in stale-test fix for `release_workflow_publishes_cli_and_mcp_npm_packages`
via PR #173's distribution.rs update (drops origin-darwin-x64 needle).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@7xuanlu