Please reconsider bumping MSRV to 1.71

[tnull]

Describe the bug
The recently released version 0.23.18 bumped the MSRV from 1.63 to 1.71 in a patch release. This was done in #2220 with seemingly no strong necessity, IIUC mostly to adopt the let ... else syntax?

We are downstream users of rustls through a variety of intermediate dependencies and do rely on MSRV 1.63 (building on Debian stable). Shipping this MSRV bump hence breaks our builds. While this is a common issue, we're usually 'okay' with doing some pinning to ensure we can maintain the 1.63 MSRV.

However, in this case we really, really don't want to pin rustls back due to security considerations. Given that the bump happened casually on a patch release means that we have no 'stable' channel that we can keep using (i.e., for which security updates would be provided).

As this doesn't only concern one crate/project, but quite a few projects that depend on or try to maintain an MSRV of 1.63, I'd like to ask you to reconsider the MSRV bump, i.e, the changes in #2220.

As we see it, possible solutions could be, for example:

• Revert Move MSRV to 1.71 #2220, simply stay on MSRV 1.63, at least until the next Debian stable release ships, or
• Intermittently revert Move MSRV to 1.71 #2220, possibly ship it as part of a minor release, and committing to providing backports of security fixes to the 0.23 branch.

[algesten]

Reposting here (original comment):

With ureq (also the new ureq3 which is RC 2), I try to maintain a conservative MSRV. This change forces me to fall in line with 1.71, which is unfortunate since I had hoped to stay on 1.65 for now. I know I'm in a minority that considers MSRV bumps borderline breaking change in semver terms.

For context, I'm fighting an uphill battle. Someone wanted me to ensure ureq 2.x was compatible with 1.63, and I gave up on that one :)

[djc]

We discussed this in Discord last week:

@djc:

re #2208 (comment) (and rustls/rustls-native-certs#152), maybe it's time we just take the leap to 1.64 or 1.65?
The end goal here is to allow this tool to depend on providers in other crates.
The second commit is a straight rename from rustls-bench/src/bench_impl.rs to rustls-bench/src/main.rs but git&#3...
I think we'd still be very safely on the conservative side of the ecosystem
Might even consider going all the way to 1.70
stable Debian (1.63) would be the casualty but with stuff like libc and tokio already going beyond 1.63 I think our current MSRV is starting to become too painful relative to the benefit

@ctz

are there any widely-adopted rolling msrv schemes? (ie, can we automate this and not think about it any more?)
i know tokio have a policy like that, but don't bump the msrv automatically

@djc

I think Renovate can do this
but personally I don't like it
it's always a trade-off and IMO those are best made by people
also don't feel like we've spent a whole lot of time on discussing this over the past... year or so?

@ctz

fair enough. i don't object at all to moving our msrv along; will do a bit of research on what dependencies we could unpin for later versions

@djc

mostly env_logger in the rustls repo I think
which actually needs 1.71 so maybe we should go with that

@ctz

we need 1.80+ to delete polyfill.rs, so that is too aggressive.
there's a comment in ech client asking for let..else, which is 1.64+
we can move from some uses of once_cell in 1.70+, but i think we still need to keep the dependency for no-std uses

@cpu

1.64 seems uncontroversial since we're using that in rustls-ffi and rustls-platform-verifier already. 👍

@ctz

having a crack at this

@complexspaces

Re MSRV: I'd like to be able to use security-framework 3.0 in rustls-platform-verifier since that's the only(?) way to get new APIs into the crate. That requires 1.70 though, which is only 1.5 years old.
Its definitely not a must though. I just anticipate needing to add new APIs for an unrelated work project, and keeping the deps in sync would be nice.

@cpu

I think we're playing with 1.71: #2220

@complexspaces

Ah cool! I wasn't sure how strong of a signal "having a crack at this" was 😆

@cpu

Not sure either 😆

@cpu

Bumping to 3.0 would also let rustls-platform-verifier drop some unfortunate and unused dependencies on macOS (first noticed on a ureq PR).

[ctz]

This was done in #2220 with seemingly no strong necessity,

The main impetus was generally MSRV increases in our dependencies, meaning we were pinning an increasing number of them (both in this crate, and others in rustls org).

• Revert Move MSRV to 1.71 #2220, simply stay on MSRV 1.63, at least until the next Debian stable release ships, or

AIUI Debian "trixie" would become stable sometime mid-2025? That would mean we would effectively have a minus 3-year MSRV policy. ("bookworm" became stable in June 2023, at which point 1.63 was already almost a year old.) That seems pretty exceptional? eg, tokio has a minus 6-month MSRV policy. I accept that tokio has a different posture and position in the ecosystem to rustls.

• Intermittently revert Move MSRV to 1.71 #2220, possibly ship it as part of a minor release, and committing to providing backports of security fixes to the 0.23 branch.

I think if we were to adopt a policy of "MSRV changes are breaking changes" (which is AIUI out of line with the rest of the ecosystem) I would want the start of each release line to aggressively take the latest rustc as its MSRV. In other words, 0.23.0 would have a MSRV of something like 1.75 or 1.76.

[djc]

However, in this case we really, really don't want to pin rustls back due to security considerations. Given that the bump happened casually on a patch release means that we have no 'stable' channel that we can keep using (i.e., for which security updates would be provided).

What is stopping you from taking rustup from apt repositories and using it to bring in a newer toolchain for your Rust stuff?

The Debian release cycle is just extremely slow relative to the Rust one. The rustls project has been pretty conservative, and I would argue it still is (1.71 was released in June 2023), but I don't think we can match Debian.

Maybe this is where we talk about commercial extended support?

[algesten]

That seems pretty exceptional? eg, tokio has a minus 6-month MSRV policy. I accept that tokio has a different posture and position in the ecosystem to rustls.

Yeah, I think ureq (and me personally) fall into a category that favors slowly moving software in stark contrast to "trendy stuff" like tokio. It's a difficult position to be in because central crates like the time crate forces the ecosystem to their policy.

What is stopping you from taking rustup from apt repositories and using it to bring in a newer toolchain for your Rust stuff?

That question has been debated elsewhere many times. I think some enterprise and similar simply do not want rustup. Rightly or wrongly it's not a fight I'm interested in taking on, so I've fallen into this mindset of being as conservative with MSRV as I possibly can. It just helps my users.

[algesten]

Oh. This was the time crate PR I was going to link: time-rs/time#535

[algesten]

The MSRV bump was bundled with a security fix in the same patch, which means I can't get any combo of rustls building cleanly without either accepting that my MSRV is going up, or that I can't avoid that RUSTSEC. In practice not one that affects ureq, but CI are CI and scream angrily at me :)

+ cargo deny --all-features --log-level error --target aarch64-apple-darwin check
error[vulnerability]: rustls network-reachable panic in `Acceptor::accept`
   ┌─ /Users/martin/dev/ureq/Cargo.lock:78:1
   │
78 │ rustls 0.23.17 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2024-0399
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0399
   ├ A bug introduced in rustls 0.23.13 leads to a panic if the received
     TLS ClientHello is fragmented.  Only servers that use
     `rustls::server::Acceptor::accept()` are affected.
     
     Servers that use `tokio-rustls`'s `LazyConfigAcceptor` API are affected.
     
     Servers that use `tokio-rustls`'s `TlsAcceptor` API are not affected.
     
     Servers that use `rustls-ffi`'s `rustls_acceptor_accept` API are affected.
   ├ Announcement: https://github.com/rustls/rustls/issues/2227
   ├ Solution: Upgrade to >=0.23.18 (try `cargo update -p rustls`)
   ├ rustls v0.23.17
     ├── rustls-platform-verifier v0.3.4
     │   └── ureq v3.0.0-rc2
     └── ureq v3.0.0-rc2 (*)

[stevenroose]

What is stopping you from taking rustup from apt repositories and using it to bring in a newer toolchain for your Rust stuff?

The fact that rustup will download and execute unpredictable versions of the rust toolchain and use those to build your projects? But this issue is not the place to discuss the Rust project's insanity of making rustup de-facto part of the cargo compiler. (The rust Docker image ships rustup and you can't turn it off.)

[ctz]

I am willing to cut a 0.23.19 release, which would be equal to 0.23.18 minus the MSRV changes.

Note well:

This would be a one-off, specifically to give users with low MSRV requirements a version to pin with RUSTSEC-2024-0399 fixed.

0.23.20 and subsequent releases would have a MSRV of 1.71.

This does not start a new release line for security backports: future security releases will be backported only to (at the time of writing) 0.23, 0.22 and 0.21 release lines. Therefore, if you are on 0.23 a MSRV bump would be needed to take any future security fixes.

@algesten @tnull since this is different to what this issue is requesting, I'll give some opportunity to say "no, that is not useful" -- I won't make this release unless it will be of use.

[algesten]

@ctz tbh I bumped my main to 1.17.1, and if the decision is to put 0.23.20 back to 1.71, I might as well keep it.

Ideally I would like to keep 1.65, but that would force me to the 0.22 line (which I suspect comes with another can of worms for my other rustls-deps such as platform-verifier). For ureq users I suspect neither pinning a specific 0.23 version nor going with 0.22 is a great option.

rustls is such a central dep for ureq, so if 1.71 is what you require I can't do much but follow along.

Thanks for offering though!

[TheBlueMatt]

What is stopping you from taking rustup from apt repositories and using it to bring in a newer toolchain for your Rust stuff?

The ability to do cross-language LTO releases, which is pretty important for release binary size in some cases.

eg, tokio has a minus 6-month MSRV policy. I accept that tokio has a different posture and position in the ecosystem to rustls.

tokio has a policy of not breaking MSRV on patch releases, however. I don't really see any issue with relatively aggressive MSRV policies for projects that (have the resources to) release patch updates to previous versions and which maintain MSRV for patch releases.