fix(deps): Replace openssl with rustls in tests and experimental features (#7047)
* Remove openssl dependency and prevent it coming back * Put the arguments in the right place * Put comment in the right place * Add a default-docker feature to zebrad and use it in workflows and Docker files * Fix a comment typo * Make sure that Docker production builds don't use openssl * Rename feature to default-release-binaries
This commit is contained in:
parent
f455baaa6e
commit
76a7ff45a9
|
@ -38,7 +38,7 @@ on:
|
|||
# https://github.com/ZcashFoundation/zebra/blob/main/docker/Dockerfile#L83
|
||||
features:
|
||||
required: false
|
||||
default: "sentry"
|
||||
default: "default-release-binaries"
|
||||
type: string
|
||||
test_features:
|
||||
required: false
|
||||
|
|
|
@ -261,8 +261,8 @@ jobs:
|
|||
# We don't need to check `--no-default-features` here, because (except in very rare cases):
|
||||
# - disabling features isn't going to add duplicate dependencies
|
||||
# - disabling features isn't going to add more crate sources
|
||||
features: ['', '--all-features']
|
||||
# We always want to run the --all-features job, because it gives accurate "skip tree root was not found" warnings
|
||||
features: ['', '--features default-release-binaries', '--all-features']
|
||||
# Always run the --all-features job, to get accurate "skip tree root was not found" warnings
|
||||
fail-fast: false
|
||||
|
||||
# Prevent sudden announcement of a new advisory from failing ci:
|
||||
|
@ -274,12 +274,14 @@ jobs:
|
|||
persist-credentials: false
|
||||
- uses: r7kamura/rust-problem-matchers@v1.3.0
|
||||
|
||||
# The --all-features job is the only job that gives accurate "skip tree root was not found" warnings.
|
||||
# In other jobs, we expect some of these warnings, due to disabled features.
|
||||
- name: Check ${{ matrix.checks }} with features ${{ matrix.features }}
|
||||
uses: EmbarkStudios/cargo-deny-action@v1
|
||||
with:
|
||||
command: check ${{ matrix.checks }}
|
||||
# --all-features spuriously activates openssl, but we want to ban that dependency in
|
||||
# all of zebrad's production features for security reasons. But the --all-features job is
|
||||
# the only job that gives accurate "skip tree root was not found" warnings.
|
||||
# In other jobs, we expect some of these warnings, due to disabled features.
|
||||
command: check ${{ matrix.checks }} ${{ matrix.features == '--all-features' && '--allow banned' || '--allow unmatched-skip-root' }}
|
||||
arguments: --workspace ${{ matrix.features }}
|
||||
|
||||
unused-deps:
|
||||
|
|
|
@ -44,7 +44,7 @@ jobs:
|
|||
tag_suffix: .experimental
|
||||
network: Testnet
|
||||
rpc_port: '18232'
|
||||
features: "sentry getblocktemplate-rpcs"
|
||||
features: "default-release-binaries getblocktemplate-rpcs"
|
||||
test_features: ""
|
||||
rust_backtrace: '1'
|
||||
zebra_skip_ipv6_tests: '1'
|
||||
|
|
23
deny.toml
23
deny.toml
|
@ -10,6 +10,13 @@
|
|||
[bans]
|
||||
# Lint level for when multiple versions of the same crate are detected
|
||||
multiple-versions = "deny"
|
||||
|
||||
# Don't allow wildcard ("any version") dependencies
|
||||
wildcards = "deny"
|
||||
# Allow private and dev wildcard dependencies.
|
||||
# Switch this to `false` when #6924 is implemented.
|
||||
allow-wildcard-paths = true
|
||||
|
||||
# The graph highlighting used when creating dotgraphs for crates
|
||||
# with multiple versions
|
||||
# * lowest-version - The path to the lowest versioned duplicate is highlighted
|
||||
|
@ -17,12 +24,18 @@ multiple-versions = "deny"
|
|||
# * all - Both lowest-version and simplest-path are used
|
||||
highlight = "all"
|
||||
|
||||
# We don't use this for Zebra.
|
||||
#
|
||||
# List of crates that are allowed. Use with care!
|
||||
#allow = [
|
||||
#]
|
||||
|
||||
# List of crates that can never become Zebra dependencies.
|
||||
deny = [
|
||||
# Often has memory safety vulnerabilities.
|
||||
# Enabled by --all-features, use the `cargo hack` script in the deny.toml CI job instead.
|
||||
{ name = "openssl" },
|
||||
{ name = "openssl-sys" },
|
||||
]
|
||||
|
||||
# We only use this for some `librustzcash` and `orchard` crates.
|
||||
# If we add a crate here, duplicate dependencies of that crate are still shown.
|
||||
#
|
||||
|
@ -47,6 +60,9 @@ skip-tree = [
|
|||
# wait for criterion to upgrade
|
||||
{ name = "itertools", version = "=0.10.5" },
|
||||
|
||||
# wait for backtrace and multiple dependents to upgrade
|
||||
{ name = "miniz_oxide", version = "=0.6.2" },
|
||||
|
||||
# ZF crates
|
||||
|
||||
# wait for zcashd and zcash_script to upgrade
|
||||
|
@ -71,6 +87,9 @@ skip-tree = [
|
|||
# wait for zcash_address to upgrade
|
||||
{ name = "bs58", version = "=0.4.0" },
|
||||
|
||||
# wait for minreq and zcash_proofs to upgrade
|
||||
{ name = "rustls", version = "=0.20.8" },
|
||||
|
||||
# zebra-utils dependencies
|
||||
|
||||
# wait for structopt upgrade (or upgrade to clap 4)
|
||||
|
|
|
@ -81,7 +81,7 @@ ENV ZEBRA_SKIP_IPV6_TESTS ${ZEBRA_SKIP_IPV6_TESTS:-1}
|
|||
# Build zebrad with these features
|
||||
# Keep these in sync with:
|
||||
# https://github.com/ZcashFoundation/zebra/blob/main/.github/workflows/build-docker-image.yml#L42
|
||||
ARG FEATURES="sentry"
|
||||
ARG FEATURES="default-release-binaries"
|
||||
ARG TEST_FEATURES="lightwalletd-grpc-tests zebra-checkpoints"
|
||||
# Use ENTRYPOINT_FEATURES to override the specific features used to run tests in entrypoint.sh,
|
||||
# separately from the test and production image builds.
|
||||
|
|
|
@ -23,7 +23,7 @@ RUN apt-get -qq update && \
|
|||
|
||||
ENV CARGO_HOME /opt/zebrad/.cargo/
|
||||
# Build dependencies - this is the caching Docker layer!
|
||||
RUN cargo chef cook --release --features sentry --package zebrad --recipe-path recipe.json
|
||||
RUN cargo chef cook --release --features default-release-binaries --package zebrad --recipe-path recipe.json
|
||||
|
||||
ARG RUST_BACKTRACE=0
|
||||
ENV RUST_BACKTRACE ${RUST_BACKTRACE}
|
||||
|
@ -36,4 +36,4 @@ ENV COLORBT_SHOW_HIDDEN ${COLORBT_SHOW_HIDDEN}
|
|||
|
||||
COPY . .
|
||||
# Pre-download Zcash Sprout and Sapling parameters
|
||||
RUN cargo run --locked --release --features sentry --package zebrad --bin zebrad download
|
||||
RUN cargo run --locked --release --features default-release-binaries --package zebrad --bin zebrad download
|
||||
|
|
|
@ -42,7 +42,8 @@ zebra-chain = { path = "../zebra-chain" , version = "1.0.0-beta.26"}
|
|||
# Tool and test feature rpc-client
|
||||
color-eyre = { version = "0.6.2", optional = true }
|
||||
jsonrpc-core = { version = "18.0.0", optional = true }
|
||||
reqwest = { version = "0.11.18", optional = true }
|
||||
# Security: avoid default dependency on openssl
|
||||
reqwest = { version = "0.11.18", default-features = false, features = ["rustls-tls"], optional = true }
|
||||
serde = { version = "1.0.164", optional = true }
|
||||
serde_json = { version = "1.0.97", optional = true }
|
||||
|
||||
|
@ -50,6 +51,6 @@ serde_json = { version = "1.0.97", optional = true }
|
|||
|
||||
color-eyre = "0.6.2"
|
||||
jsonrpc-core = "18.0.0"
|
||||
reqwest = "0.11.18"
|
||||
reqwest = { version = "0.11.18", default-features = false, features = ["rustls-tls"] }
|
||||
serde = "1.0.164"
|
||||
serde_json = "1.0.97"
|
||||
|
|
|
@ -67,7 +67,8 @@ tower = { version = "0.4.13", features = ["buffer", "util"] }
|
|||
tracing = "0.1.37"
|
||||
|
||||
# elasticsearch specific dependencies.
|
||||
elasticsearch = { version = "8.5.0-alpha.1", package = "elasticsearch", optional = true }
|
||||
# Security: avoid default dependency on openssl
|
||||
elasticsearch = { version = "8.5.0-alpha.1", default-features = false, features = ["rustls-tls"], optional = true }
|
||||
serde_json = { version = "1.0.97", package = "serde_json", optional = true }
|
||||
|
||||
zebra-chain = { path = "../zebra-chain", version = "1.0.0-beta.26" }
|
||||
|
|
|
@ -39,6 +39,9 @@ pre-release-replacements = [
|
|||
# In release builds, don't compile debug logging code, to improve performance.
|
||||
default = ["release_max_level_info"]
|
||||
|
||||
# Default features for official ZF binary release builds
|
||||
default-release-binaries = ["default", "sentry"]
|
||||
|
||||
# Production features that activate extra dependencies, or extra features in dependencies
|
||||
|
||||
# Experimental mining RPC support
|
||||
|
|
Loading…
Reference in New Issue