Conversation
|
Just from that lockfile diff its quite a lot of new code yeah 😅 Out of curiosity, if the upki daemon is installed on a system does that also mean the C dylib will be present somewhere on disk too? I wonder if it would be worth considering reusing that code if its already on an end-user's system. |
|
FYI, this should help:
There is no daemon, there would typically be a binary and a systemd unit. (We can also come up with API that can do this in a separate thread or Tokio task -- I think you asked about this a while ago?) |
Right, bad wording on my side. I was just trying to refer to some binary contents an installer would have put on the system already. IE if there's already a binary would there also be a library with it too for other consumers like OpenSSL? |
Basically yes, see https://launchpad.net/~ubuntu-foundations-team/+archive/ubuntu/upki-preview/+packages. But I think it would still be preferable to use Rust interfaces here? |
|
I have mixed feelings on it so far 😄. On every other platform that provides certificate verification facilities, we use the shared libraries provided by the "platform" instead of re-implementing or shipping logic that just uses raw data the OS holds somewhere for itself. If you squint enough on Linux, the upki infrastructure installed by the distro would count as those verification facilities. |
What are you concretely worried about? |
3 participants
Hm, this is not ideal, as the rustls-upki -> upki -> rustls path turns on unwanted crate features. That means we'd need to infect the upki crate with features also, and make those control the ability to do fetching etc?
Who designed this stuff 🤣
Draft status: needs test in CI