Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swtich to embedded TLS roots instead of Native TLS #193

Merged
merged 1 commit into from
Nov 10, 2023
Merged

Swtich to embedded TLS roots instead of Native TLS #193

merged 1 commit into from
Nov 10, 2023

Conversation

ylow
Copy link
Contributor

@ylow ylow commented Nov 10, 2023
edited
Loading

Mac Native TLS takes a long time to load.
rustls/rustls-native-certs#30

This is an issue as some git operations spawn (sequentially) a large number of git-xet subprocesses. This switches reqwest to using an embedded Mozilla certificate roots. (webpki-roots crate). This reduces push time by about 33%.

@ylow
Swtich to embedded TLS roots instead of Native TLS
af09ddb 
Mac Native TLS takes a long time to load.
rustls/rustls-native-certs#30

This is an issue as some git operations spawn (sequentially) a large number of
git-xet subprocesses. This switches reqwest to using an embedded Mozilla
certificate roots.  (webpki-roots crate)
@ylow ylow requested a review from hoytak November 10, 2023 00:54
znation
znation approved these changes Nov 10, 2023
View reviewed changes
Copy link
Contributor

@znation znation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good find!

@ylow ylow merged commit a523637 into main Nov 10, 2023
1 check passed
@ylow ylow deleted the ylow/switch_away_from_native_tls branch November 10, 2023 05:52
@alerque
Copy link

alerque commented Nov 10, 2023

Could this be made optional? Embedding root certificates (even for internal use) is a big no-no for some Linux distributions. I package this for Arch Linux for example which has a policy against it. Since the problem is macOS specific could the option to eschew the system certificates at least be made platform specific? If this isn't a problem on Linux but the "solution" is a problem in its own right, this is a step backwards.

@ylow
Copy link
Contributor Author

ylow commented Nov 10, 2023

#195 amends this to use embedded root certs only on MacOS.

@alerque
Copy link

alerque commented Nov 10, 2023

Thanks for that!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@znation znation znation approved these changes

@hoytak hoytak Awaiting requested review from hoytak

Assignees

@znation znation

@jgodlew jgodlew

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ylow @alerque @znation @jgodlew