Page MenuHomePhabricator

[services] Tunnelbroker - Fix an OpenSSL crate collision
ClosedPublic

Authored by max on Sep 6 2022, 4:54 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 22, 9:34 PM
Unknown Object (File)
Sat, Nov 9, 6:41 PM
Unknown Object (File)
Sat, Nov 9, 4:04 PM
Unknown Object (File)
Sat, Nov 9, 10:30 AM
Unknown Object (File)
Sat, Nov 9, 7:31 AM
Unknown Object (File)
Oct 10 2024, 6:54 AM
Unknown Object (File)
Sep 20 2024, 3:27 PM
Unknown Object (File)
Sep 20 2024, 3:27 PM

Details

Summary

This diff introduces a fix to resolve conflict in Rust crates which uses the OpenSSL library.
The fix is to use OpenSSL as **vendored** according to the OpenSSL crate documentation.

The full context is available in the Linear task.

Related Linear task: ENG-1738

Test Plan

Call Rust's FCM, A2, Reqwest functions which use OpenSSL from the Tunnelbroker C++ codebase without OpenSSL-related errors.

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

max held this revision as a draft.
max published this revision for review.Sep 6 2022, 5:07 AM
max edited the summary of this revision. (Show Details)
max edited the test plan for this revision. (Show Details)
max added reviewers: karol, tomek, varun.
tomek added a reviewer: ashoat.
tomek added inline comments.
services/tunnelbroker/rust-notifications/Cargo.toml
18 ↗(On Diff #16358)

What happens if a machine doesn't have OpenSSL installed?

services/tunnelbroker/rust-notifications/Cargo.toml
18 ↗(On Diff #16358)

vendoring a dependency usually means that a package will use it's own packaging to indirectly expose it.

Essentially, it shouldn't matter from a "does someone need openssl" standpoint.

The bigger concern is that if there is a big openssl vulnerability, then vendored dependencies have to be updated through the dependency which vendored it. Making a wider window in which we have potential vulnerabilities in production.

This isn't necessary on the nix develop side, but this probably fixes the docker build as it has an older version of openssl available.

max added inline comments.
services/tunnelbroker/rust-notifications/Cargo.toml
18 ↗(On Diff #16358)

What happens if a machine doesn't have OpenSSL installed?

We have OpenSSL installed in a Docker dev environment, and macOS have it too. Also, when installing dependencies for our dev environment OpenSSL will be installed anyway. So it looks very unlikely.

18 ↗(On Diff #16358)

vendoring a dependency usually means that a package will use it's own packaging to indirectly expose it.

Essentially, it shouldn't matter from a "does someone need openssl" standpoint.

The bigger concern is that if there is a big openssl vulnerability, then vendored dependencies have to be updated through the dependency which vendored it. Making a wider window in which we have potential vulnerabilities in production.

In case of a big openssl vulnerability (like openssl had in the past), we should check all the dependencies for an openssl anyway and update version in vendored as well.

In D5064#149334, @jon wrote:

This isn't necessary on the nix develop side, but this probably fixes the docker build as it has an older version of openssl available.

Correct! More context in the task comments.

Pinging @ashoat for a final blocking review because this is a dependency change.

This revision is now accepted and ready to land.Sep 15 2022, 8:33 AM

Sorry I took so long to review here!!