-
Notifications
You must be signed in to change notification settings - Fork 438
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add webpki-roots
and native-certs
crate features, take 2
#2005
Conversation
9631481
to
ec36577
Compare
webpki-roots
and native-certs
crate featureswebpki-roots
and native-certs
crate features, take 2
ec36577
to
4c12d68
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, being nitpicky about the commit history, because I know there's a bunch more large changes here and I'd like to make reviewing them easy.
I'm inclined to say the Lazy<Arc<ClientConfig>>
design doesn't make all that much sense and we should instead use a design where a "global" default Arc<ClientConfig>
(or maybe even only the RootCertStore
?) lives in something like the ResolverConfig
, NameServerConfigGroup
or ResolverOpts
but maybe this should be left for a future PR? (Maybe this is already what you were planning on doing in a future PR.)
4c12d68
to
9de0fd3
Compare
This is totally fine! I'm happy to do the legwork here and make it as easy as possible to review!
I think the big upside of Unfortunately storing a As for where to store it I would argue that a "global" default would make sense to live in Personally I'm also in favor of moving away from the Let me know what you think! |
26457d1
to
431db81
Compare
Let me know if you want me to squash anything or split a commit into a separate PR. E.g. I think 431db81 should be squashed. |
This sounds like a good direction! |
CI currently fails on a test called |
fbf3f99
to
e4f90ff
Compare
e4f90ff
to
9047e08
Compare
I guess https://trust-dns.org is down? |
I temporarily disabled the test to make the CI run. Let me know if you want me to remove it before merging. |
I'm going to leave it to @bluejekyll to decide if he wants to merge this with the ignored test (or fix up his DNS/web server setup?). |
If we decide that we don't want to merge this now because it's a breaking change, let me know. There are other PRs I want to work on that (hopefully) don't require a breaking change, but I am waiting on this because I don't want to spend time constantly rebasing everything. No stress though, I'm not in a hurry! |
I think we pretty much default to only doing breaking releases except if there's a security response needed. |
5b47f29
to
655f5f4
Compare
655f5f4
to
fcf00ba
Compare
fcf00ba
to
4287043
Compare
I removed the commit disabling the test. The last commit "Fix CI" was probably necessary because of the 1.72 release and has nothing to do with this PR. I'm happy to split it into a separate PR if needed. |
Cool, look forward to merging this.
Separate PR is unnecessary from my side, but would like one commit for |
Sorry for the delay on this. I'm reviewing this now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for all the cleanup on the examples and configuration as well. This looks great. You clearly spent a lot of time and energy on this change, I really appreciate all that effort.
See the one comment about the panic, once that is fixed, I will happily merge this in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, this is an awesome change. Thank you for all the work!
Apologies, never got to separate those commits! Thank you all for the guidance, was a great experience! |
This splits the changes from #1943 into two parts. This is the first part, only introducing loading the native certificates. The changes are basically only touching the code that was loading certificates from
webpki-roots
and introducing the new crate features.I could split this up further into
trust-dns-proto
andtrust-dns-resolver
?This implementation has the big downside that
trust-dns-resolver
will attempt to load the native certificates only once and save theResult
in aLazy
. So there currently no way for the user to re-attempt or reload the native certificates. This will be addressed in the second part.Replaces #1943.