From 7423333ae92a4bba0055cd1143b047ccd6ad6fe3 Mon Sep 17 00:00:00 2001 From: Andy Bodnar Date: Sat, 10 Jan 2026 12:42:53 -0700 Subject: [PATCH 1/2] Remove vendored OpenSSL in favor of platform-native TLS Switch to using platform-native TLS implementations: - Windows: WinHTTP/Schannel (built-in) - macOS: SecureTransport (built-in) - Linux: System OpenSSL (via package manager) This removes the vendor-openssl feature and the openssl-sys dependency, eliminating the need to bundle OpenSSL with the binary. Users on Windows and macOS get TLS support out of the box, while Linux users need to have OpenSSL development libraries installed (which is common on most systems). Closes #2004 --- Cargo.toml | 3 +-- README.md | 9 ++++++--- asyncgit/Cargo.toml | 9 ++++----- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 8f07dd34e4..69d46d483f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,14 +24,13 @@ members = [ ] [features] -default = ["ghemoji", "regex-fancy", "trace-libgit", "vendor-openssl"] +default = ["ghemoji", "regex-fancy", "trace-libgit"] ghemoji = ["gh-emoji"] # regex-* features are mutually exclusive. regex-fancy = ["syntect/regex-fancy", "two-face/syntect-fancy"] regex-onig = ["syntect/regex-onig", "two-face/syntect-onig"] timing = ["scopetime/enabled"] trace-libgit = ["asyncgit/trace-libgit"] -vendor-openssl = ["asyncgit/vendor-openssl"] [dependencies] anyhow = "1.0" diff --git a/README.md b/README.md index f97b708148..040d9c2453 100644 --- a/README.md +++ b/README.md @@ -223,9 +223,12 @@ see [NIGHTLIES.md](./NIGHTLIES.md) - Minimum supported `rust`/`cargo` version: `1.82` - See [Install Rust](https://www.rust-lang.org/tools/install) -- To build openssl dependency (see https://docs.rs/openssl/latest/openssl/) - - perl >= 5.12 (strawberry perl works for windows https://strawberryperl.com/) - - a c compiler (msvc, gcc or clang, cargo will find it) +- TLS/SSL support uses platform-native libraries: + - **Windows**: Uses WinHTTP/Schannel (built-in, no additional setup needed) + - **macOS**: Uses SecureTransport (built-in, no additional setup needed) + - **Linux**: Requires system OpenSSL development libraries (e.g., `libssl-dev` on Debian/Ubuntu, `openssl-devel` on Fedora) + +- A C compiler is required to build native dependencies (msvc on Windows, gcc or clang on Unix) - To run the complete test suite python is required (and it must be invocable as `python`) diff --git a/asyncgit/Cargo.toml b/asyncgit/Cargo.toml index 9239659fec..e5f5528fab 100644 --- a/asyncgit/Cargo.toml +++ b/asyncgit/Cargo.toml @@ -14,7 +14,6 @@ keywords = ["git"] [features] default = ["trace-libgit"] trace-libgit = [] -vendor-openssl = ["openssl-sys"] [dependencies] bitflags = "2" @@ -22,6 +21,10 @@ crossbeam-channel = "0.5" dirs = "6.0" easy-cast = "0.5" fuzzy-matcher = "0.3" +# TLS is provided by platform-native libraries: +# - Windows: WinHTTP/Schannel (built-in) +# - macOS: SecureTransport (built-in) +# - Linux: System OpenSSL (install via package manager) git2 = "0.20" git2-hooks = { path = "../git2-hooks", version = ">=0.6" } gix = { version = "0.77.0", default-features = false, features = [ @@ -31,10 +34,6 @@ gix = { version = "0.77.0", default-features = false, features = [ "status", ] } log = "0.4" -# git2 = { path = "../../extern/git2-rs", features = ["vendored-openssl"]} -# git2 = { git="https://github.com/extrawurst/git2-rs.git", rev="fc13dcc", features = ["vendored-openssl"]} -# pinning to vendored openssl, using the git2 feature this gets lost with new resolver -openssl-sys = { version = '0.9', features = ["vendored"], optional = true } rayon = "1.11" rayon-core = "1.13" scopetime = { path = "../scopetime", version = "0.1" } From dd9e8b62d3ca4e8f401bf5f9421deb068bc55f5b Mon Sep 17 00:00:00 2001 From: Andy Bodnar Date: Sun, 11 Jan 2026 09:11:51 -0700 Subject: [PATCH 2/2] Address review feedback: restore vendor-openssl for cross-compilation - Remove TLS comment from asyncgit/Cargo.toml (context is in README) - Restore commented git2 lines that were unrelated to OpenSSL changes - Restore vendor-openssl feature for cross-compilation targets - Update Makefile to use vendor-openssl for musl, ARM, and Apple x86 builds The vendor-openssl feature is no longer in defaults, allowing native TLS on standard builds while still supporting vendored OpenSSL for cross-compilation where system libraries aren't available. --- Cargo.toml | 1 + Makefile | 22 +++++++++++----------- asyncgit/Cargo.toml | 9 +++++---- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 69d46d483f..b637b104aa 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -31,6 +31,7 @@ regex-fancy = ["syntect/regex-fancy", "two-face/syntect-fancy"] regex-onig = ["syntect/regex-onig", "two-face/syntect-onig"] timing = ["scopetime/enabled"] trace-libgit = ["asyncgit/trace-libgit"] +vendor-openssl = ["asyncgit/vendor-openssl"] [dependencies] anyhow = "1.0" diff --git a/Makefile b/Makefile index 4b0c5496b1..500c2d8eaf 100644 --- a/Makefile +++ b/Makefile @@ -47,19 +47,19 @@ release-linux-musl: build-linux-musl-release tar -C ./target/x86_64-unknown-linux-musl/release/ -czvf ./release/gitui-linux-x86_64.tar.gz ./gitui build-apple-x86-debug: - cargo build --target=x86_64-apple-darwin + cargo build --features vendor-openssl --target=x86_64-apple-darwin build-apple-x86-release: - cargo build --release --target=x86_64-apple-darwin --locked + cargo build --features vendor-openssl --release --target=x86_64-apple-darwin --locked build-linux-musl-debug: - cargo build --target=x86_64-unknown-linux-musl + cargo build --features vendor-openssl --target=x86_64-unknown-linux-musl build-linux-musl-release: - cargo build --release --target=x86_64-unknown-linux-musl --locked + cargo build --features vendor-openssl --release --target=x86_64-unknown-linux-musl --locked test-linux-musl: - cargo nextest run --workspace --target=x86_64-unknown-linux-musl + cargo nextest run --features vendor-openssl --workspace --target=x86_64-unknown-linux-musl release-linux-arm: build-linux-arm-release mkdir -p release @@ -73,14 +73,14 @@ release-linux-arm: build-linux-arm-release tar -C ./target/arm-unknown-linux-gnueabihf/release/ -czvf ./release/gitui-linux-arm.tar.gz ./gitui build-linux-arm-debug: - cargo build --target=aarch64-unknown-linux-gnu - cargo build --target=armv7-unknown-linux-gnueabihf - cargo build --target=arm-unknown-linux-gnueabihf + cargo build --features vendor-openssl --target=aarch64-unknown-linux-gnu + cargo build --features vendor-openssl --target=armv7-unknown-linux-gnueabihf + cargo build --features vendor-openssl --target=arm-unknown-linux-gnueabihf build-linux-arm-release: - cargo build --release --target=aarch64-unknown-linux-gnu --locked - cargo build --release --target=armv7-unknown-linux-gnueabihf --locked - cargo build --release --target=arm-unknown-linux-gnueabihf --locked + cargo build --features vendor-openssl --release --target=aarch64-unknown-linux-gnu --locked + cargo build --features vendor-openssl --release --target=armv7-unknown-linux-gnueabihf --locked + cargo build --features vendor-openssl --release --target=arm-unknown-linux-gnueabihf --locked test: cargo nextest run --workspace diff --git a/asyncgit/Cargo.toml b/asyncgit/Cargo.toml index e5f5528fab..9239659fec 100644 --- a/asyncgit/Cargo.toml +++ b/asyncgit/Cargo.toml @@ -14,6 +14,7 @@ keywords = ["git"] [features] default = ["trace-libgit"] trace-libgit = [] +vendor-openssl = ["openssl-sys"] [dependencies] bitflags = "2" @@ -21,10 +22,6 @@ crossbeam-channel = "0.5" dirs = "6.0" easy-cast = "0.5" fuzzy-matcher = "0.3" -# TLS is provided by platform-native libraries: -# - Windows: WinHTTP/Schannel (built-in) -# - macOS: SecureTransport (built-in) -# - Linux: System OpenSSL (install via package manager) git2 = "0.20" git2-hooks = { path = "../git2-hooks", version = ">=0.6" } gix = { version = "0.77.0", default-features = false, features = [ @@ -34,6 +31,10 @@ gix = { version = "0.77.0", default-features = false, features = [ "status", ] } log = "0.4" +# git2 = { path = "../../extern/git2-rs", features = ["vendored-openssl"]} +# git2 = { git="https://github.com/extrawurst/git2-rs.git", rev="fc13dcc", features = ["vendored-openssl"]} +# pinning to vendored openssl, using the git2 feature this gets lost with new resolver +openssl-sys = { version = '0.9', features = ["vendored"], optional = true } rayon = "1.11" rayon-core = "1.13" scopetime = { path = "../scopetime", version = "0.1" }