feat(tvix/store): use reqwests' rustls-native-roots feature
This makes reqwest honor `SSL_CERT_FILE` - previously it was using the chain bundled in webpki-roots. `object_store` pulls in `reqwest` with this feature, and the cargo solver will enable that feature globally as soon as we pull it in, as it assumes features are additive. This requires setting `SSL_CERT_FILE` when running tests, otherwise they'll fail with the unhelpful "NotFound" error. This was quite some fun to debug, why adding `object_store` to tvix-castore suddenly made tvix-store tests fail! Change-Id: I64fc82b4d994715480efdb1ffecb279716456ab9 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11090 Reviewed-by: raitobezarius <tvl@lahfa.xyz> Tested-by: BuildkiteCI
This commit is contained in:
parent
4b4443240e
commit
1c16dee207
4 changed files with 14 additions and 23 deletions
8
tvix/Cargo.lock
generated
8
tvix/Cargo.lock
generated
|
@ -2233,6 +2233,7 @@ dependencies = [
|
||||||
"percent-encoding",
|
"percent-encoding",
|
||||||
"pin-project-lite",
|
"pin-project-lite",
|
||||||
"rustls",
|
"rustls",
|
||||||
|
"rustls-native-certs",
|
||||||
"rustls-pemfile",
|
"rustls-pemfile",
|
||||||
"serde",
|
"serde",
|
||||||
"serde_json",
|
"serde_json",
|
||||||
|
@ -2247,7 +2248,6 @@ dependencies = [
|
||||||
"wasm-bindgen-futures",
|
"wasm-bindgen-futures",
|
||||||
"wasm-streams",
|
"wasm-streams",
|
||||||
"web-sys",
|
"web-sys",
|
||||||
"webpki-roots",
|
|
||||||
"winreg",
|
"winreg",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
@ -3802,12 +3802,6 @@ dependencies = [
|
||||||
"wasm-bindgen",
|
"wasm-bindgen",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "webpki-roots"
|
|
||||||
version = "0.25.3"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10"
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "which"
|
name = "which"
|
||||||
version = "4.4.2"
|
version = "4.4.2"
|
||||||
|
|
|
@ -6710,6 +6710,12 @@ rec {
|
||||||
target = { target, features }: (!("wasm32" == target."arch" or null));
|
target = { target, features }: (!("wasm32" == target."arch" or null));
|
||||||
features = [ "dangerous_configuration" ];
|
features = [ "dangerous_configuration" ];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
name = "rustls-native-certs";
|
||||||
|
packageId = "rustls-native-certs";
|
||||||
|
optional = true;
|
||||||
|
target = { target, features }: (!("wasm32" == target."arch" or null));
|
||||||
|
}
|
||||||
{
|
{
|
||||||
name = "rustls-pemfile";
|
name = "rustls-pemfile";
|
||||||
packageId = "rustls-pemfile";
|
packageId = "rustls-pemfile";
|
||||||
|
@ -6790,12 +6796,6 @@ rec {
|
||||||
target = { target, features }: ("wasm32" == target."arch" or null);
|
target = { target, features }: ("wasm32" == target."arch" or null);
|
||||||
features = [ "AbortController" "AbortSignal" "Headers" "Request" "RequestInit" "RequestMode" "Response" "Window" "FormData" "Blob" "BlobPropertyBag" "ServiceWorkerGlobalScope" "RequestCredentials" "File" "ReadableStream" ];
|
features = [ "AbortController" "AbortSignal" "Headers" "Request" "RequestInit" "RequestMode" "Response" "Window" "FormData" "Blob" "BlobPropertyBag" "ServiceWorkerGlobalScope" "RequestCredentials" "File" "ReadableStream" ];
|
||||||
}
|
}
|
||||||
{
|
|
||||||
name = "webpki-roots";
|
|
||||||
packageId = "webpki-roots";
|
|
||||||
optional = true;
|
|
||||||
target = { target, features }: (!("wasm32" == target."arch" or null));
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
name = "winreg";
|
name = "winreg";
|
||||||
packageId = "winreg";
|
packageId = "winreg";
|
||||||
|
@ -6875,7 +6875,7 @@ rec {
|
||||||
"wasm-streams" = [ "dep:wasm-streams" ];
|
"wasm-streams" = [ "dep:wasm-streams" ];
|
||||||
"webpki-roots" = [ "dep:webpki-roots" ];
|
"webpki-roots" = [ "dep:webpki-roots" ];
|
||||||
};
|
};
|
||||||
resolvedDefaultFeatures = [ "__rustls" "__tls" "hyper-rustls" "rustls" "rustls-pemfile" "rustls-tls" "rustls-tls-webpki-roots" "stream" "tokio-rustls" "tokio-util" "wasm-streams" "webpki-roots" ];
|
resolvedDefaultFeatures = [ "__rustls" "__tls" "hyper-rustls" "rustls" "rustls-native-certs" "rustls-pemfile" "rustls-tls-native-roots" "stream" "tokio-rustls" "tokio-util" "wasm-streams" ];
|
||||||
};
|
};
|
||||||
"ring" = rec {
|
"ring" = rec {
|
||||||
crateName = "ring";
|
crateName = "ring";
|
||||||
|
@ -11009,7 +11009,7 @@ rec {
|
||||||
name = "reqwest";
|
name = "reqwest";
|
||||||
packageId = "reqwest";
|
packageId = "reqwest";
|
||||||
usesDefaultFeatures = false;
|
usesDefaultFeatures = false;
|
||||||
features = [ "rustls-tls" "stream" ];
|
features = [ "rustls-tls-native-roots" "stream" ];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
name = "sha2";
|
name = "sha2";
|
||||||
|
@ -12346,13 +12346,6 @@ rec {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
};
|
|
||||||
"webpki-roots" = rec {
|
|
||||||
crateName = "webpki-roots";
|
|
||||||
version = "0.25.3";
|
|
||||||
edition = "2018";
|
|
||||||
sha256 = "045g7az4mj1002m55iydln4jhyah4br2n0zms3wbz41vicpa8y0p";
|
|
||||||
|
|
||||||
};
|
};
|
||||||
"which" = rec {
|
"which" = rec {
|
||||||
crateName = "which";
|
crateName = "which";
|
||||||
|
|
|
@ -36,7 +36,7 @@ tvix-castore = { path = "../castore" }
|
||||||
url = "2.4.0"
|
url = "2.4.0"
|
||||||
walkdir = "2.4.0"
|
walkdir = "2.4.0"
|
||||||
async-recursion = "1.0.5"
|
async-recursion = "1.0.5"
|
||||||
reqwest = { version = "0.11.22", features = ["rustls-tls", "stream"], default-features = false }
|
reqwest = { version = "0.11.22", features = ["rustls-tls-native-roots", "stream"], default-features = false }
|
||||||
xz2 = "0.1.7"
|
xz2 = "0.1.7"
|
||||||
|
|
||||||
[dependencies.tonic-reflection]
|
[dependencies.tonic-reflection]
|
||||||
|
|
|
@ -24,6 +24,10 @@ in
|
||||||
|
|
||||||
(depot.tvix.crates.workspaceMembers.tvix-store.build.override {
|
(depot.tvix.crates.workspaceMembers.tvix-store.build.override {
|
||||||
runTests = true;
|
runTests = true;
|
||||||
|
testPreRun = ''
|
||||||
|
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt;
|
||||||
|
'';
|
||||||
|
|
||||||
# virtiofs feature currently fails to build on Darwin.
|
# virtiofs feature currently fails to build on Darwin.
|
||||||
# we however can ship it for non-darwin.
|
# we however can ship it for non-darwin.
|
||||||
features = if pkgs.stdenv.isDarwin then [ "default" ] else [ "default" "virtiofs" ];
|
features = if pkgs.stdenv.isDarwin then [ "default" ] else [ "default" "virtiofs" ];
|
||||||
|
|
Loading…
Reference in a new issue