Globally set transitive features (especially for FIPS), or block certain features

[xnox]

Problem

I want to compile application with FIPS approved cryptography only (for example by using boringssl rustls provider in fips mode; or by using rustls with the aws-lc-fips-sys provider).

My package/workspace has many dependencies, and they in turn have multiple declarations to rustls.

Despite setting my toplevel rustls features to use aws-lc-fips-sys, transitive dependencies that have repeated rustls dependencies may activate default features and pull in rustls again but with non-fips provider.

Ideally when compiling application and choosing rustls with aws-lc-fips-sys, I want to prevent non-fips feature being pull in; or able to inspect this.

Building binaries with cargo-auditable appears to indicate that it often is trivially possible to link two rustls implementations aws-lc-sys & aws-lc-fips-sys.

Is there a way to globally enforce cargo dependencies and features? to only pull in one rustls with desired features and no other ?

Proposed Solution

File bug reports against all rustls dependants asking them to add a feature that pulls in rustls with FIPS feature; rather than with default feature. (Currently 945 https://crates.io/crates/rustls/reverse_dependencies )

Somehow make rustls by default have no features activated, and allow dependency resolution to always happen without any features for the packages; yet allow each one of them to choose desired feature set for the compiled binaries - such that packages/library dependencies do not impose a feature selection; yet all individual binaries can make a choice.

Ask rustls to default to a FIPS implementation by default..... Or somehow locally override default rustls features to be FIPS.

Notes

Related:

• Please add FIPS feature to mirror rustls FIPS feature to use aws-lc-fips-sys only (without aws-lc-sys) rustls/webpki#307
• add fips feature, adjust aws-lc-rs sys dep rustls/webpki#308
• adjust FIPS feature handling w.r.t aws-lc-sys rustls/rustls#2291
• How to build without rcgen and without ring? istio/ztunnel#1404
• Ability to disable individual default features #3126
• Mutually exclusive features #2980

[weihanglo]

Thanks for the detailed use case!

#2980 is definitely the tracking issue of all this mess. In addition, issues below are relevant as well:

• Automatically activate a dependency if its used elsewhere in dependency graph #1555
• Pass parameters to build.rs script via CLI #3646
• Managing the propagation of features across a large workspace is infeasible without tooling support #9094

If I understand correctly, this pre-RFC proposes exactly what you want: https://internals.rust-lang.org/t/pre-rfc-mutually-excusive-global-features/19618. I'll go ahead and close this, in favor of those issues and pre-RFC. Let us know if there is a reason this worth kept open separately.

[weihanglo]

FWIW, aws-lc-sys is worse in the opposite way in this situation. Usually the package.links field is set to a string that ensures for the same string, only one unique version of native dependency exists in the dependency graph. However, aws-lc-sys bumps the field for each release. That is the reason you could have muliple versions of the native dependencies.
https://github.com/aws/aws-lc-rs/blob/0470373fe2ac92391085d928099e9d2c2292e5cd/aws-lc-sys/Cargo.toml#L5

[xnox]

@weihanglo sounds good! And this issue is useful as is, as a pseudo index-reference to all of these things.

Indeed, all of this is complicated.

[xnox]

Separately, for example "openssl-provider" of rustls is not a default features; so yeah without any tooling support it is not possible to force the whole workspace (and all transitive deps) to drop default features and allow one at build time to "and please pull in this rustls provider by default".

At this point I am pondering to fork crates.io to somehow republish the world with dependencies that I desire =/ but that's completely impractical solution.