On Wed, Sep 7, 2016 at 12:41 AM, Diane Hosfelt <[email protected]> wrote: > I 100% understand the desire to use a pure Rust TLS library for Servo, but > I think we need to not ignore the fact that there isn't one right now. Ring > implements the crypto primitives, not the protocols. Rustls is promising, > but it's brand new and lacks a number of features required to be a full TLS > library (and that's if the owner/community decide to allow insecure > algorithms for the sake of web compatibility).
I disagree with your statement that there "isn't one right now", as you refer to a pure Rust TLS library. rustls implements full TLS, but not old TLS, which would be needed to talk to a long tail of the web today. As Servo matures, the long tail will become more important, just as it will be in DOM or layout work, but for now, Servo can probably do without it. Also, brand new-ness is not just a bad thing; it also means that rustls can take advantage of modern knowledge on what areas of TLS are more or less important and more or less vulnerable. > I don't think that Servo has > the resources to majorly contribute to a new TLS library in Rust. This > leaves a few options: > > 1. Continue with OpenSSL bindings until there's a more mature rust TLS > implementation > 2. Create bindings for another library > > From this point, I think we should look at the resource problem. How much > work will it take to maintain/improve the OpenSSL bindings? Who can do > this? Ditto for the bindings for another library. Creating NSS bindings now is skating to where the puck currently is, not to where it's going to be. Creating the bindings will involve significant work. You may discount the work because the resources don't have any cost to you, but it's still work that, in the bigger picture, there is not much of a need for in the longer term. As the NSS bindings work is going on, the alternatives will move forward as well, and might even do so at a faster pace. Instead, Servo could start skating now to where the puck will be, i.e. pure-Rust crypto. To explain it in another way, I think you're implicitly dismissing one factor, which is the rest of the Rust community. Notice that rustls already exists, in a fairly usable form, without Servo or other MoCo teams investments. As more people start using rustls, it will grow the features that Servo needs, to some extent even without investments from the Servo team itself. As one example, I myself have contributed to both Servo and *ring*, and would be happy to work on rustls to advance the cause of Rust crypto and Servo, in tandem. It would be much harder to find volunteer contributors for NSS bindings; I don't think the argument that significant amounts of Rust users are interested in using NSS holds water, even if they care about age -- they will probably go to OpenSSL instead, which has the virtue of being more established now in the Rust community. (Also, will people who care about the age of the crypto code magically not care about the age of the bindings code?) Cheers, Dirkjan _______________________________________________ dev-servo mailing list [email protected] https://lists.mozilla.org/listinfo/dev-servo
