tonic depends on rustls API that isn't guaranteed to exist in minimum dependency version

[str4d]

Bug Report

Version

tonic 0.10.0

Description

#1443 migrated from the deprecated RootCertStore::add_server_trust_anchors to the new RootCertStore::add_trust_anchors. However, the latter was only released in rustls 0.21.6, while tonic 0.10.0 has an implicit lower version bound on rustls 0.21.0. tonic does not depend directly on rustls, instead using the re-exported version from tokio-rustls 0.24 (from which it obtains its implicit lower version bound).

This hit me because the update from tonic 0.9 to tonic 0.10 didn't need to bump tokio-rustls, so I didn't initially bump any of my other dependencies. It was only when compilation broke and I dug into why that I uncovered this issue.

tonic should instead add an explicit dependency on rustls = "0.21.6" to ensure that the API it is using exists, even if it continues to access it through the tokio-rustls re-export.

I opened rustls/tokio-rustls#18 about the fact that their examples also use this new API without bumping the minimum rustls version; had they done this, the tonic issue would have been incidentally fixed. But sadly that isn't something we can rely on for transitive dependencies (and it would have been entirely valid for tokio-rustls to continue to recommend the deprecated API in their examples and README). So until cargo provides a better way to handle patch updates to transient dependencies, the core fix needs to be here.

[alexheretic]

I don't think in general README example code should require min versions to be correct, that's too strict a requirement on usage snippets.

However, I agree that the actual lib code should compile with the min dependency versions:

tonic should instead add an explicit dependency on rustls = "0.21.6" to ensure that the API it is using exists, even if it continues to access it through the tokio-rustls re-export.

👍 This seems doable, I would also import the trait directly from rustls too.

[LucioFranco]

I assume this is happening because its not getting updated in your lockfile since a new pull of the project should bring in the latest. But I think you're right we should force the min version as well. I'd take a PR updating that and we can try to get a patch release out. Thanks!

[LucioFranco]

Ah actually now that I read this again I think this needs to be fixed in tokio-rustls rather than tonic depending on rustls directly, I don't think that is the right solution.

[djc]

I don't think there is a bug in tokio-rustls here -- tokio-rustls isn't depending on the new rustls API directly, so there's no reason for it to require newer rustls. If tonic wants to rely on newer rustls it should ensure the rustls version that is being pulled into its dependency graph is new enough -- or stick with the deprecated API for now instead.