duckscript: use system TLS instead of rustls

[cho-m]

• Have you followed the guidelines for contributing?
• Have you ensured that your commits follow the commit style guide?
• Have you checked that there aren't other open pull requests for the same formula update/change?
• Have you built your formula locally with brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
• Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
• Does your build pass brew audit --strict <formula> (after doing brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

---

[cho-m]

Still need to make sure of linkage. Open to opinions on whether we should favor the statically linked pure Rust implementation vs dynamically linked system/Homebrew library.

Upstream changed from native OpenSSL to rustls, and then added option afterward https://github.com/sagiegurari/duckscript/blob/master/CHANGELOG.md#v0813-2022-07-21

### v0.8.13 (2022-07-21)

* Enhancement: Runtime - Enable to clone duckscript context #253 (thanks waterlens)
* Enhancement: Support both native TLS via openssl and pure rust TLS #258 (thanks @jirutka)

### v0.8.12 (2022-05-25)

* Enhancement: Add support for stdin input passing to child process in exec, watchdog and spawn commands #247
* Enhancement: Replace native TLS support via openssl with pure rust TLS
* Update dependencies

[cho-m]

Old linkage #112420:

==> brew linkage --cached duckscript
System libraries:
  /lib/x86_64-linux-gnu/libc.so.6
  /lib/x86_64-linux-gnu/libgcc_s.so.1
  /lib/x86_64-linux-gnu/libm.so.6

New linkage:

==> brew linkage --cached duckscript
System libraries:
  /lib/x86_64-linux-gnu/libc.so.6
  /lib/x86_64-linux-gnu/libgcc_s.so.1
  /lib/x86_64-linux-gnu/libm.so.6
Homebrew libraries:
  /home/linuxbrew/.linuxbrew/opt/openssl@3/lib/libcrypto.so.3 (openssl@3)
  /home/linuxbrew/.linuxbrew/opt/openssl@3/lib/libssl.so.3 (openssl@3)

[cho-m]

@Homebrew/core

I see that some rust formulae have switched to default of rustls (like duckscript and zola) and expect more to follow. For some we won't have a choice, but the ones I listed do allow overriding default.

Wanted to discuss whether we should use rustls or override default to use Homebrew OpenSSL / macOS system libs.

I guess the main consideration would be security. Dynamically linked libraries allow providing security fixes with formulae/system updates. rustls fixes would require upstream creating a new release with updated Cargo.lock including a version of rustls with fix. Though that may be something that upstream is expected to actively support if they plan to use rustls.

[carlocab]

I'm averse to statically linking crypto libraries. Do you know what Linux distros are doing?

[MikeMcQuaid]

Yeh, I'm initially "oh let's do what upstream does" but this does not sound like it'll be an easy process for us to detect and push updates for compared to e.g. a new openssl release.

[cho-m]

Do you know what Linux distros are doing?

There aren't that many examples right now. Alpine's duckscript maintainer wrote the PR to re-add system TLS support (sagiegurari/duckscript#258) and I would assume Debian, Fedora, and others would also prefer dynamic linkage based on general packaging preferences/policy.

Of course this will depend on whether each upstream is willing to support alternative TLS options. For example, volta will be dropping OpenSSL support in next release (volta-cli/volta#1214).

---

Based on current responses, we could try to prioritize dynamically linked SSL/TLS libraries when available. May need to verify brew linkage output or upstream changelogs/notes to notice if upstream has decided to use rustls.

---

On side note, there are some other bundled libraries that we may want to check on later per rust formula:

• openssl-sys can end up bundling OpenSSL if package uses vendored feature. May be possible to override with OPENSSL_NO_VENDOR.
• libgit2-sys bundles a copy of libgit2 but does detect system copy via pkg-config.
• libssh2-sys bundles a copy of libssh2. Needs an environment variable override to change behavior.
  • This decision partly seems to be due to Homebrew when mixing OpenSSL versions (Add LIBSSH2_SYS_USE_PKG_CONFIG env var alexcrichton/ssh2-rs#88 (comment)).
  • I think this impacts rust itself as the libssh2 dependency isn't linked.
• onig_sys bundles a copy of oniguruma. Needs an environment variable override to change behavior.

[BrewTestBot]

🤖 A scheduled task has triggered a merge.