From 7a8c9fab651d502509200129e3ca9f6097b7c604 Mon Sep 17 00:00:00 2001 From: Lukas Kalbertodt Date: Thu, 8 Sep 2022 12:48:07 +0200 Subject: [PATCH 1/2] Statically link `libssl` for better binary compatibility This is only used by the HTTP client of `meilisearch_sdk`, i.e. to communicate with Meilisearch. In most instances, Meili runs on the same machine without HTTPS, so this is basically never used. In particular, Tobira cannot listen on HTTPS directly (you should use a reverse proxy for that). And to communicate with Opencast, rustls is used. Ideally, meilisearch_sdk would also use rustls and in the future we can do that. But for now, we want to statically link libssl to make it easier to deploy Tobira. The main argument against static linking is that an administrator cannot deploy libssl security updates without updating Tobira. Yes, but that's already true for 99% of Tobira's dependencies. So just dynamically linking this one library isn't making a big difference. Also, as mentioned above, libssl is not even used in most situations. And if it's used, there is no user interaction. --- backend/Cargo.lock | 11 +++++++++++ backend/Cargo.toml | 1 + 2 files changed, 12 insertions(+) diff --git a/backend/Cargo.lock b/backend/Cargo.lock index 6143b721b..72d711749 100644 --- a/backend/Cargo.lock +++ b/backend/Cargo.lock @@ -1366,6 +1366,15 @@ version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" +[[package]] +name = "openssl-src" +version = "111.22.0+1.1.1q" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f31f0d509d1c1ae9cada2f9539ff8f37933831fd5098879e482aa687d659853" +dependencies = [ + "cc", +] + [[package]] name = "openssl-sys" version = "0.9.75" @@ -1375,6 +1384,7 @@ dependencies = [ "autocfg", "cc", "libc", + "openssl-src", "pkg-config", "vcpkg", ] @@ -2182,6 +2192,7 @@ dependencies = [ "hyper", "hyper-rustls", "hyperlocal", + "isahc", "juniper", "juniper_hyper", "log", diff --git a/backend/Cargo.toml b/backend/Cargo.toml index dbd7ff9bd..c55e26d43 100644 --- a/backend/Cargo.toml +++ b/backend/Cargo.toml @@ -36,6 +36,7 @@ hostname = "0.3" hyper = { version = "0.14", features = ["client", "http1", "http2"] } hyper-rustls = { version = "0.23", features = ["http2"] } hyperlocal = { version = "0.8", default-features = false, features = ["server"] } +isahc = { version = "1", features = ["static-ssl"] } juniper = { version = "0.15.10", default-features = false, features = ["chrono", "schema-language"] } juniper_hyper = "0.8.0" log = { version = "0.4", features = ["serde", "std"] } From 02d9a08bb60d8ba133f7014d7e8d5db84daf5050 Mon Sep 17 00:00:00 2001 From: Lukas Kalbertodt Date: Thu, 8 Sep 2022 12:57:21 +0200 Subject: [PATCH 2/2] Statically link to `libz` See last commit for reasoning. libz is only used by the build dependency `built` and meilisearch_sdk at runtime. So the same reasoning applies basically. --- backend/Cargo.lock | 1 + backend/Cargo.toml | 1 + 2 files changed, 2 insertions(+) diff --git a/backend/Cargo.lock b/backend/Cargo.lock index 72d711749..583c89855 100644 --- a/backend/Cargo.lock +++ b/backend/Cargo.lock @@ -2195,6 +2195,7 @@ dependencies = [ "isahc", "juniper", "juniper_hyper", + "libz-sys", "log", "meilisearch-sdk", "mime_guess", diff --git a/backend/Cargo.toml b/backend/Cargo.toml index c55e26d43..7467eb7e4 100644 --- a/backend/Cargo.toml +++ b/backend/Cargo.toml @@ -39,6 +39,7 @@ hyperlocal = { version = "0.8", default-features = false, features = ["server"] isahc = { version = "1", features = ["static-ssl"] } juniper = { version = "0.15.10", default-features = false, features = ["chrono", "schema-language"] } juniper_hyper = "0.8.0" +libz-sys = { version = "1", features = ["static"] } log = { version = "0.4", features = ["serde", "std"] } meilisearch-sdk = "0.18.0" mime_guess = { version = "2", default-features = false }