diff options
| author | Florian Klink <flokli@flokli.de> | 2024-03-03T14·47+0200 |
|---|---|---|
| committer | flokli <flokli@flokli.de> | 2024-03-03T15·32+0000 |
| commit | 1c16dee2078999f61e31194bbe793790facf0e98 (patch) | |
| tree | 33414d2fd63aab562db4eaca67a67e72d98a25a4 | |
| parent | 4b4443240e45c5200d3135acccd4e52ffa8d706c (diff) | |
feat(tvix/store): use reqwests' rustls-native-roots feature r/7642
This makes reqwest honor `SSL_CERT_FILE` - previously it was using the chain bundled in webpki-roots. `object_store` pulls in `reqwest` with this feature, and the cargo solver will enable that feature globally as soon as we pull it in, as it assumes features are additive. This requires setting `SSL_CERT_FILE` when running tests, otherwise they'll fail with the unhelpful "NotFound" error. This was quite some fun to debug, why adding `object_store` to tvix-castore suddenly made tvix-store tests fail! Change-Id: I64fc82b4d994715480efdb1ffecb279716456ab9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11090 Reviewed-by: raitobezarius <tvl@lahfa.xyz> Tested-by: BuildkiteCI
| -rw-r--r-- | tvix/Cargo.lock | 8 | ||||
| -rw-r--r-- | tvix/Cargo.nix | 23 | ||||
| -rw-r--r-- | tvix/store/Cargo.toml | 2 | ||||
| -rw-r--r-- | tvix/store/default.nix | 4 |
4 files changed, 14 insertions, 23 deletions
diff --git a/tvix/Cargo.lock b/tvix/Cargo.lock index bcaa8190e5be..ec6966d7b601 100644 --- a/tvix/Cargo.lock +++ b/tvix/Cargo.lock @@ -2233,6 +2233,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "rustls", + "rustls-native-certs", "rustls-pemfile", "serde", "serde_json", @@ -2247,7 +2248,6 @@ dependencies = [ "wasm-bindgen-futures", "wasm-streams", "web-sys", - "webpki-roots", "winreg", ] @@ -3803,12 +3803,6 @@ dependencies = [ ] [[package]] -name = "webpki-roots" -version = "0.25.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" - -[[package]] name = "which" version = "4.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" diff --git a/tvix/Cargo.nix b/tvix/Cargo.nix index 2987a76751b4..a144b80bf2e6 100644 --- a/tvix/Cargo.nix +++ b/tvix/Cargo.nix @@ -6711,6 +6711,12 @@ rec { features = [ "dangerous_configuration" ]; } { + name = "rustls-native-certs"; + packageId = "rustls-native-certs"; + optional = true; + target = { target, features }: (!("wasm32" == target."arch" or null)); + } + { name = "rustls-pemfile"; packageId = "rustls-pemfile"; optional = true; @@ -6791,12 +6797,6 @@ rec { features = [ "AbortController" "AbortSignal" "Headers" "Request" "RequestInit" "RequestMode" "Response" "Window" "FormData" "Blob" "BlobPropertyBag" "ServiceWorkerGlobalScope" "RequestCredentials" "File" "ReadableStream" ]; } { - name = "webpki-roots"; - packageId = "webpki-roots"; - optional = true; - target = { target, features }: (!("wasm32" == target."arch" or null)); - } - { name = "winreg"; packageId = "winreg"; target = { target, features }: (target."windows" or false); @@ -6875,7 +6875,7 @@ rec { "wasm-streams" = [ "dep:wasm-streams" ]; "webpki-roots" = [ "dep:webpki-roots" ]; }; - resolvedDefaultFeatures = [ "__rustls" "__tls" "hyper-rustls" "rustls" "rustls-pemfile" "rustls-tls" "rustls-tls-webpki-roots" "stream" "tokio-rustls" "tokio-util" "wasm-streams" "webpki-roots" ]; + resolvedDefaultFeatures = [ "__rustls" "__tls" "hyper-rustls" "rustls" "rustls-native-certs" "rustls-pemfile" "rustls-tls-native-roots" "stream" "tokio-rustls" "tokio-util" "wasm-streams" ]; }; "ring" = rec { crateName = "ring"; @@ -11009,7 +11009,7 @@ rec { name = "reqwest"; packageId = "reqwest"; usesDefaultFeatures = false; - features = [ "rustls-tls" "stream" ]; + features = [ "rustls-tls-native-roots" "stream" ]; } { name = "sha2"; @@ -12347,13 +12347,6 @@ rec { ]; }; - "webpki-roots" = rec { - crateName = "webpki-roots"; - version = "0.25.3"; - edition = "2018"; - sha256 = "045g7az4mj1002m55iydln4jhyah4br2n0zms3wbz41vicpa8y0p"; - - }; "which" = rec { crateName = "which"; version = "4.4.2"; diff --git a/tvix/store/Cargo.toml b/tvix/store/Cargo.toml index bf0d3413609c..ec7acbd562be 100644 --- a/tvix/store/Cargo.toml +++ b/tvix/store/Cargo.toml @@ -36,7 +36,7 @@ tvix-castore = { path = "../castore" } url = "2.4.0" walkdir = "2.4.0" async-recursion = "1.0.5" -reqwest = { version = "0.11.22", features = ["rustls-tls", "stream"], default-features = false } +reqwest = { version = "0.11.22", features = ["rustls-tls-native-roots", "stream"], default-features = false } xz2 = "0.1.7" [dependencies.tonic-reflection] diff --git a/tvix/store/default.nix b/tvix/store/default.nix index 35d2a22bb2ce..2c07cdf2b31f 100644 --- a/tvix/store/default.nix +++ b/tvix/store/default.nix @@ -24,6 +24,10 @@ in (depot.tvix.crates.workspaceMembers.tvix-store.build.override { runTests = true; + testPreRun = '' + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt; + ''; + # virtiofs feature currently fails to build on Darwin. # we however can ship it for non-darwin. features = if pkgs.stdenv.isDarwin then [ "default" ] else [ "default" "virtiofs" ]; |