Skip to content

Exclude bad test keys from the published package #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2025
Merged

Exclude bad test keys from the published package #140

merged 1 commit into from
Oct 14, 2025

Conversation

@weiznich
Copy link
Contributor

@weiznich weiznich commented Oct 14, 2025
edited
Loading

During a dependency review I noticed that tokio-rustls includes bad test keys in the binary pem format in the published packages. These files are not required for building tokio-rustls and make it harder to review the code.

This commit explicitly excludes these files from the published package. Before this change cargo package reported a size of 22 files, 137.1KiB (34.6KiB compressed). After this change it reports a size of 14 files, 110.6KiB (27.3KiB compressed), so this is only a rather minimal size reduction. Nevertheless given the current number of 17 million downloads per month that would result in a 118 GB/month traffic reduction for crates.io. For me personally the exclusion of the binary files is the more important outcome.

@weiznich weiznich force-pushed the remove_key_material branch from 574fdb7 to 6ce6b35 Compare October 14, 2025 07:05
djc
djc approved these changes Oct 14, 2025
View reviewed changes
Copy link
Member

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me. Should we also exclude any tests that rely on these? It seems bad to ship known-broken tests.

@weiznich
Copy link
Contributor Author

weiznich commented Oct 14, 2025

That might be a good idea, on the other hand the only group that I'm aware of running these tests are package maintainers from linux distributions and at least one of them expressed that they prefer ignoring tests with missing files to removed tests.

I personally would exclude all tests as the large majority of downloads will never ever touch the tests at all.

@djc
Copy link
Member

djc commented Oct 14, 2025

That might be a good idea, on the other hand the only group that I'm aware of running these tests are package maintainers from linux distributions and at least one of them expressed that they prefer ignoring tests with missing files to removed tests.

They said:

EDIT: As an aside, fixing up tests that are broken or missing is much more work for us than just skipping some tests that don't work because of missing data / input files - the latter can very easily be worked around by passing appropriate --skip arguments to cargo test.

Which doesn't exactly compare "ignoring tests with missing files" to "removed tests".

@weiznich
Copy link
Contributor Author

weiznich commented Oct 14, 2025

That's correct, but that still doesn't tell me what you want:

Do you want all tests to be removed or just the broken ones? For the second case: Which tests would be broken by excluding these keys?

@djc
Copy link
Member

djc commented Oct 14, 2025

Let's wait for feedback from other maintainers. Personally, I agree with Sean's take that the tests are mostly for development/CI and shouldn't really be important to downstream distributors.

ctz
ctz reviewed Oct 14, 2025
View reviewed changes
@weiznich
Exclude bad test keys from the published package
3640205 
During a dependency review I noticed that tokio-rustls includes bad test
keys in the binary pem format in the published packages. These files are
not required for building tokio-rustls and make it harder to review the
code.

This commit explicitly excludes these files from the published package.
Before this change `cargo package` reported a size of 22 files, 137.1KiB (34.6KiB compressed).
After this change it reports a size of 14 files, 110.6KiB (27.3KiB compressed).
Nevertheless given the current number of 17 million downloads per month
that would result in a 118 GB/month traffic reduction for crates.io. For
me personally the exclusion of the binary files is the more important
outcome.
@weiznich weiznich force-pushed the remove_key_material branch from 6ce6b35 to 3640205 Compare October 14, 2025 09:00
@djc djc merged commit 24e51b5 into rustls:main Oct 14, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ctz ctz ctz left review comments

@djc djc djc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@weiznich @djc @ctz