-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segfault on Fedora 36 due to vendored openssl #491
Comments
Fine with me. Can we do the default per platform? Relevant: #401 |
According to rust-lang/cargo#1197 it seems possible now:
A quick grep shows it's in use by the Rust compiler itself f.e. in
I'll experiment with it tomorrow. Might need Rust 2021 edition to enable "cargo resolver v2" by default. |
Unfortunately cargo will merge all features from target specific dependencies into one big graph. I tried two different approaches:
As this didn't work, I thought may be I can outsmart it by moving the "vendored" feature flag into an own dependency inside cargo-crev:
One can see in the
With the current cargo feature set this seems unsolvable. There are hacks using build.rs and stuff, but that's rather unclean. The solution I can think of right now is to disable openssl vendoring by default and enable it for the official Windows builds explicitly. Other ideas? |
Oh, so it turns out my suggestion in #488 is already implemented. 🤔
How could this happen? Cargo doesn't allow linking same library multiple times and if multiple crates depend on |
New crev user here. I was following the "Getting started" guide and instantly got a segfault on
cargo crev verify
as soon as it started to download any crate. Strangely downloading the trust data worked fine like inPlatform is Fedora 36 Linux.
So I went down the rabbit hole and got this nice backtrace (skip to the end for a solution):
It looks like this in valgrind:
This made me dig into the openssl code (I'm familiar with it a bit), but nothing obviously suspicious turned up.
While inspecting Cargo.toml I noticed it includes a vendored openssl build. Oh my.
So I disabled that one and voila,
crev verify
finally works by magic several hours later.The problem is that the vendored openssl is version 1.1.1 while F36 ships openssl 3.0.0. This doesn't mix well at all if other crates link the system wide openssl. Openssl loads further "engines" shared libraries dynamically at runtime.
Compiled with the vendored openssl feature:
Proposal: Disable the vendored openssl builds on Linux platforms by default. Security updates from the distro will come for free, too.
The text was updated successfully, but these errors were encountered: