Change to work with updated libraries. #7
Conversation
Signed-off-by: Jean Pierre Dudey <[email protected]>
|
Thanks for all this work! |
|
@apoelstra I think it isn't possible right now, reqwest includes TLS support by default. |
|
Hmmm, ok. That is a very serious regression vs the existing old libraries. |
|
Are there any HTTP libraries that only deal with ASCII and don't support TLS? I wonder how much work it would be to implement the bare minimum HTTP client required to work with Bitcoin Core. |
|
@apoelstra Are there any specific constrains you're worried about? Stripping TLS is kind of understanble (though TLS is becoming inseparable part of HTTP), doing only ASCII in a language that is UTF-8 native, seems odd. While it would probably be possible to make TLS support compile time option in |
|
Also, is this library supposed to be general purpose jsonrpc, or just Bitcoin Core one? :) |
|
@dpc the goal is to minimize dependencies, hence the aversion to complex unicode (and other charsets) parsing libraries. Avoiding anything TLS related is a hard requirement because it provides zero value (anyone can use a reverse proxy to layer TLS onto whatever they're doing, and even get some isolation from their real application) and has historically been a source of serious security vulnerabilities. I was under the impression that JSON was ASCII-only (hence it having the ridiculous \u escape), but according to www.json.org a |
|
@apoelstra Well, it is true, maybe much less severe in Rust, but still. However, now I'm looking for a standard way to do jsonrpc in Rust, right now, and there is this library, which seems incompatible with reset of the ecosystem, but in the best shape and most popular one. While ability to disable TLS would be nice to have, but doesn't matter for my usecase. Should I look for other options / fork? |
|
~~I've created~~~ There is already: seanmonstar/reqwest#225 about TLS as compile time feature. Other than that, personally, I would rather use a standard, well supported, well reviewed code, written in robust, memory safe language, than a stripped down version, that doesn't get a the same amount of maintenance and mind share. |
|
The current version of this library works and is used in production systems. I'm not sure in what way it is "incompatible with the rest of the ecosystem", though of course it's good practice to keep up with dependency updates and replace deprecated libraries. If you want to fix this in a way that would bring in a TLS dependency, yes, you will need to fork the project. Although I hope we can fix this upstream in reqwest -- thank you for opening an issue about it. |
Mostly it's about |
|
:/. In |
|
What do you think about releasing a I did this work to upgrade the dependencies only in order to be compatible with |
|
I think just updating |
|
Done in #8 |
|
After further reflection, my plan is:
I think this will drop our total dependency list to ~25 entries, mostly big projects with a history of stability and tiny projects which never change. Which compares very favorably to our current 30 dependencies, including some specific ones which have broken rust-jsonrpc in the past. |
|
Are there any specific reasons you prefer reqwest to hyper? |
|
@apoelstra I choose to use I think it's more healthy to use the newest |
|
Oof, so, hyper 0.11 introduced a lot of complex asynchronous tokio stuff that we don't need; 0.12 made it optional (yay!) but didn't replace it with anything, meaning that we'd have to implement a lot of connection management ourselves. So our choices with hyper 0.12 are either to use the default options, bringing us up to 45 deps (lots of which are quickly-changing tokio), or re-implement a lot of old-hyper on our own. With that in mind I'm simply going to upgrade from hyper 0.9 to 0.10; the main changes there are dropping SSL and supporting code, dropping |
No description provided.