Make libgmp dependency optional #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi!
Thanks for doing this, I think it's a good idea. I've thought a bit in the
past about removing this dependency (hopefully for a pure rust crate). If
you have any ideas along this line, please let me know.
Just want to note that because of what appears to be a bug in rust-crypto,
the behavior of plain versus encrypted empty strings will be different.
Anyways, I'll review and merge ASAP.
…On Apr 26, 2017 12:55 AM, "Stephen Oliver" ***@***.***> wrote:
Hi :)
I've moved the code that requires linking withlibgmp behind a feature
(but made it the default).
This makes the Plain encryption type the only one available when libgmp
is not available, but that's OK for many use cases, and the pseudo-TLS
design in the Secret Service specification is more or less only intended
for preventing secrets from being swapped to disk anyway, which can be
solved in other ways.
This was needed for a few reasons:
1.
Linking with libgmp on some Rust targets, like
x86_64-unknown-linux-musl, requires building it separately rather than
just installing the distro version, which is almost always going to be
built to work with gnu libc. That would be fine in many cases, as it's
not *that* hard to build things (and libdbus *also* has to be built
the same way), but...
2.
Linking Apache 2.0 licensed code with, and using, a LGPLv3/GPLv3
library like libgmp presents a licensing issue that *might* be
resolvable in some cases. Dynamically linking to it may be ok if you choose
to use libgmp under the LGPLv3 or if libgmp qualifies for the system
library exception to the GPLv3, but that wouldn't work for a musl
library/binary anyway as it would have to be statically linked.
As an aside, libdbus would also present these issues in some cases, but
it's dual licensed under the AFL 2.1
<https://en.wikipedia.org/wiki/Academic_Free_License>, which makes some
things easier (static linking libdbus itself), and some things harder, as
it is completely incompatible with the GPL so nothing else licensed under
the GPL could be linked at all.
------------------------------
You can view, comment on, or merge this pull request online at:
#1
Commit Summary
- Make libgmp dependency optional
File Changes
- *M* Cargo.toml
<https://github.com/hwchen/secret-service-rs/pull/1/files#diff-0> (7)
- *M* src/item.rs
<https://github.com/hwchen/secret-service-rs/pull/1/files#diff-1> (4)
- *M* src/lib.rs
<https://github.com/hwchen/secret-service-rs/pull/1/files#diff-2> (1)
- *M* src/session.rs
<https://github.com/hwchen/secret-service-rs/pull/1/files#diff-3> (9)
Patch Links:
- https://github.com/hwchen/secret-service-rs/pull/1.patch
- https://github.com/hwchen/secret-service-rs/pull/1.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADm0i5DBMJU5eBu1XYZmCjkG36w6132Yks5rzs4kgaJpZM4NIXHU>
.
|
|
Thanks again! I'm going to merge, but first wanted to ask if you wanted to make some notes in the docs and the readme about this feature. If not, I'm also happy to. |
|
@hwchen sure I can add some notes tonight :) |
|
Hi @steveatinfincia, I'd like to get this merged in the next day or two, so if you don't add notes I'll probably just do it myself. No problem if you can't get to it, I appreciate the work you already did. |
|
@hwchen sorry about that, have been insanely busy lately. Writing it up right now :) |
|
No problem, thanks so much! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi :)
I've moved the code that requires linking with
libgmpbehind a feature (but made it the default).This makes the Plain encryption type the only one available when
libgmpis not available, but that's OK for many use cases, and the pseudo-TLS design in the Secret Service specification is more or less only intended for preventing secrets from being swapped to disk anyway, which can be solved in other ways.This was needed for a few reasons:
Linking with
libgmpon some Rust targets, likex86_64-unknown-linux-musl, requires building it separately rather than just installing the distro version, which is almost always going to be built to work with gnulibc. That would be fine in many cases, as it's not that hard to build things (andlibdbusalso has to be built the same way), but...Linking Apache 2.0 licensed code with, and using, a LGPLv3/GPLv3 library like
libgmppresents a licensing issue that might be resolvable in some cases. Dynamically linking to it may be ok if you choose to uselibgmpunder the LGPLv3 or iflibgmpqualifies for the system library exception to the GPLv3, but that wouldn't work for a musl library/binary anyway as it would have to be statically linked.As an aside,
libdbuswould also present these issues in some cases, but it's dual licensed under the AFL 2.1, which makes some things easier (static linkinglibdbusitself), and some things harder, as it is completely incompatible with the GPL so nothing else licensed under the GPL could be linked at all.