Join GitHub today
Remove SSL feature (and openssl/security-framework dependencies) #985
The current problem is that the openssl crate has released versions 0.9.x, and hyper is depending on 0.7.x. That by itself isn't an issue, but since the openssl crate has
Attempts to Fix the Things
The suggestion so far has been that people could turn off the
Well, it gets worse. Say you do exactly that: you replace your client usage with reqwest. But say you also have a server component to your app, using some other framework, such as iron, or nickel, or something newer. Those frameworks likely depend on hyper, and did not disable the
Well then, why not just upgrade openssl! Well, there are different problems with doing that. Upgrading openssl will be a breaking change, so the minor version number must increase (while hyper is 0.x, if it were 1.x, then we'd need to go up to 2.0!). Sometimes that is needed, but the cost must always be considered. Every breaking version increase for hyper has meant disruption through the ecosystem. It takes a while for all other libraries to update their internal dependency on hyper. That means a time period when trying to combine some libraries will fail, because rustc will treat the 2 different versions as completely different (as they are).
But so what, why not just upgrade this time? The problem is that every single time openssl has a breaking change, that will require hyper to also have a breaking change. So the disruption will occur to the entire hyper ecosystem each time openssl must break an API. Perhaps that slows down to a crawl at some point, and maybe we reconsider then.
Also, hey! The openssl may not be the best default dependency. In fact, rust-native-tls is probably a better default, since it works better for Windows and macOS, and fixes certificate verification on Windows. However, there's a couple downsides with using that as the default as well. First, it still depends on
Hm, it seems the root of the problem is having such a fundamental dependency, an http crate, depending on a
The 0.10.x already has this done, and it seems to work fine. I've tested that reqwest easily updates to this (it took no code changes, just a Cargo.toml change).
referenced this issue
Jan 5, 2017
I really like this idea. I think that switching to a design that allows users to supply an
I think @seanmonstar has stumbled on something that seems somewhat fundamental to crate design. If you could, it would be a huge help for other crates also using openssl directly to have a detailed reference of the changes that would be made to resolve this issue so that they can emulate the approach.
referenced this issue
Jan 6, 2017
Below is the changelog currently expected for the release:
Release is done, docs up, crate published, changelog at https://github.com/hyperium/hyper/releases/tag/v0.10.0