How to build without rcgen and without ring?

[xnox]

rcgen should be an optional feature, and yet it seems to be always compiled...

# install cargo-auditable plugin
cargo install cargo-auditable
# install rust-audit-info inspection binary
cargo install rust-audit-info
# build ztunnel binary with audit information, no default features, just tls-boring feature
# expectation is that this binary does not pull in rcgen nor ring
cargo auditable build --bin ztunnel --no-default-features --features tls-boring --release
# observe that rcgen & ring packages are pulled into ztunnel binary
rust-audit-info ./out/rust/release/ztunnel | jq -r '.packages | .[] | .name' | grep -e '^rcgen' -e '^ring'
rcgen
ring

Built on master, 1.24.0-alpha.0-33-g0ad78e3, 0ad78e3

Am i missing something?

It seems to me that somehow, via testing feature & dev-dependencies rcgen is always enabled; when it should be optional.

Or is there a bug in the generated rust-audit-info?

[xnox]

Executing:

cargo remove rcgen
cargo remove ring

Appears to remove rcgen & ring from Cargo.toml and lock files.

Rebuilding the binary shows that boring crate, ends up pulling in rustls, and ends up pulling in ring.

Shouldn't the boring crate pull in rustls with custom-provider feature set?

[xnox]

Executing

cargo add --no-default-features --features custom-provider,tls12 [email protected]

Still pulls in ring =(

[howardjohn]

hmmm..

$ cargo tree --no-default-features --features tls-boring -e normal | grep ' ring'

finds no matches. Seems like a bug in cargo-audit or cargo-tree.

$ strings ./out/rust/debug/ztunnel | rg rcgen has none either - not sure that is a very valid check, though - but with the ring build it does show up rcgen so that adds some credibility.