Skip to content

Upgrade tonic TLS stack#541

Merged
ti-chi-bot[bot] merged 1 commit into
tikv:masterfrom
hbisheng:cse-0.4.0-tonic-0.12-tls
Jun 22, 2026
Merged

Upgrade tonic TLS stack#541
ti-chi-bot[bot] merged 1 commit into
tikv:masterfrom
hbisheng:cse-0.4.0-tonic-0.12-tls

Conversation

@hbisheng

@hbisheng hbisheng commented Jun 18, 2026

Copy link
Copy Markdown
Member

Upgrade tonic from 0.10 to 0.12 while keeping TLS enabled.

tonic 0.10's tls feature pulls in the older rustls 0.21 / rustls-webpki 0.101 TLS stack, which is affected by RustSec advisories such as RUSTSEC-2026-0098, RUSTSEC-2026-0099, and RUSTSEC-2026-0104.

tonic 0.12 keeps the existing tls feature API but moves TLS to tokio-rustls 0.26 / rustls 0.23, which uses patched rustls-webpki versions. This keeps TLS support working while removing the vulnerable old TLS dependency path.

Summary by CodeRabbit

  • Chores
    • Updated core framework dependencies to their latest stable versions. These updates deliver important bug fixes, security patches, and performance optimizations from upstream libraries. The enhancements improve application stability, ensure better compatibility with modern production environments, and strengthen overall system reliability.

@ti-chi-bot ti-chi-bot Bot added dco-signoff: yes Indicates the PR's author has signed the dco. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 18, 2026
@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a4e5f307-1496-4136-9568-3715bdce2ad8

📥 Commits

Reviewing files that changed from the base of the PR and between 158a395 and 5479654.

📒 Files selected for processing (1)
  • Cargo.toml
🚧 Files skipped from review as they are similar to previous changes (1)
  • Cargo.toml

📝 Walkthrough

Walkthrough

Cargo.toml is updated to bump prost from 0.12 to 0.13 and tonic from 0.10 to 0.12, with the existing tls and gzip feature flags on tonic retained unchanged.

Changes

Dependency Version Bumps

Layer / File(s) Summary
prost and tonic version updates
Cargo.toml
prost bumped from 0.12 to 0.13; tonic bumped from 0.10 to 0.12 with tls and gzip features retained.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 Hop, hop, a version leap today,
prost jumps to thirteen on its way,
tonic follows, twelve it claims,
features kept, no breaking chains,
the bunny cheers with joyful play! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Upgrade tonic TLS stack' accurately reflects the main change in the PR—upgrading tonic from 0.10 to 0.12 to address TLS stack vulnerabilities.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@hbisheng hbisheng force-pushed the cse-0.4.0-tonic-0.12-tls branch from 0c2b75a to 158a395 Compare June 18, 2026 03:46
@ti-chi-bot ti-chi-bot Bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 18, 2026
@hbisheng hbisheng marked this pull request as draft June 18, 2026 03:54
@ti-chi-bot ti-chi-bot Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 18, 2026
@hbisheng hbisheng force-pushed the cse-0.4.0-tonic-0.12-tls branch from 158a395 to 5479654 Compare June 18, 2026 04:01
@ti-chi-bot ti-chi-bot Bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 18, 2026
Signed-off-by: Bisheng Huang <hbisheng@gmail.com>
@hbisheng hbisheng marked this pull request as ready for review June 18, 2026 04:17
@ti-chi-bot ti-chi-bot Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 18, 2026
@hbisheng hbisheng requested a review from overvenus June 18, 2026 04:17
@ti-chi-bot ti-chi-bot Bot added needs-1-more-lgtm Indicates a PR needs 1 more LGTM. approved labels Jun 18, 2026
@ti-chi-bot

ti-chi-bot Bot commented Jun 22, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: coocood, LykxSassinator

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [LykxSassinator,coocood]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot Bot added lgtm and removed needs-1-more-lgtm Indicates a PR needs 1 more LGTM. labels Jun 22, 2026
@ti-chi-bot

ti-chi-bot Bot commented Jun 22, 2026

Copy link
Copy Markdown

[LGTM Timeline notifier]

Timeline:

  • 2026-06-18 23:35:40.54373899 +0000 UTC m=+1694241.614056380: ☑️ agreed by coocood.
  • 2026-06-22 02:52:14.705319003 +0000 UTC m=+1965235.775636393: ☑️ agreed by LykxSassinator.

@ti-chi-bot ti-chi-bot Bot merged commit dda06db into tikv:master Jun 22, 2026
8 checks passed
eduralph added a commit to getwyrd/wyrd that referenced this pull request Jul 13, 2026
…the shipped-artifact wall

`cargo deny --all-features check advisories` surfaces five advisories, every one of
them reachable only through tikv-client 0.4.0 behind the off-by-default `tikv`
feature. There is no patch to take: tikv-client 0.4.0 pins tonic 0.10 -> rustls 0.21
-> the vulnerable rustls-webpki, and the upstream fix (tikv/client-rust#541, merged
2026-06-26) has never been released. So write the boundary down rather than chase a
release that is not coming.

The exceptions go in a SEPARATE config, not deny.toml
cargo-deny's `[advisories] ignore` entries are keyed by advisory ID alone — 0.20
accepts only `id` and `reason`, with no crate- or feature-scoping — so an entry
applies to the whole graph it is used with. Parking the tikv-client exceptions in
deny.toml would mean the wall guarding the SHIPPED ARTIFACT carried them too, and a
future default dependency that happened to pull an affected version of the same crate
would be silently waved through — holing the exact guarantee that file exists to make.

So:
  * deny.toml              — the default graph, i.e. what we ship. Zero backend
                             exceptions, and a test now pins that it stays that way.
  * deny-all-features.toml — the off-by-default `fdb`/`tikv` trees, which the default
                             run cannot see at all.

`cargo xtask ci` runs BOTH walls. Keeping the second one in xtask rather than in the
workflow YAML matters: `cargo xtask ci` is the documented local equivalent of the Rust
gate (ADR-0009), so a YAML-only audit would pass on a contributor's laptop and fail
only in CI. It costs seconds — cargo-deny resolves Cargo.lock and compiles nothing, so
auditing the optional trees needs none of their native toolchains.

The comment is explicit that this is a statement about the shipped artifact and NOT a
claim that the TiKV leg is safe: RUSTSEC-2026-0104 is a live DoS in the TLS
cert-validation path for anyone who builds --features tikv and talks TLS-with-CRLs.

Two places this departs from the issue as filed:

- The delete-condition is not "#443 removes the feature". #443 stands TiKV down but
  RETAINS it, so these entries have no scheduled end. They are deleted by a tikv-client
  release carrying #541, or by an explicit future decommission decision. Recorded as
  such, with a 2027-01-31 review trigger so "tracked, not waived" cannot decay into a
  permanent silent waiver of a high-severity advisory.
- The rand 0.7.3 question resolves to "no entry needed", and not for the reason the
  issue assumed: cargo-deny 0.20's `version = 2` config has no `unsound` key at all
  (setting one is a hard deserialization error), so RUSTSEC-2026-0097 is never raised.
  An ignore for it would be dead config.

Also corrects the AUDIT POLICY header, which claimed the off-by-default FDB tree "IS
audited here" by the default `cargo deny check`. It is not: that invocation passes no
feature flags, so foundationdb, libloading and tikv-client are all absent from the
graph it walks — which is why ISC has always warned `license-not-encountered`. That
warning also exposes a real gap the header now names rather than papers over: the
ADR-0003 LICENCE wall does not cover the optional trees at all (#547).

Verified: `cargo deny --all-features --config deny-all-features.toml check advisories`
ok (5 errors before); `cargo deny check` still ok with zero backend ignores; the same
all-features graph WITHOUT the new config still shows all 5, so the split is not a
no-op; `cargo xtask ci` green, running both walls; typos clean. Reviewed by
`codex review` to clean (it caught both the global-ignore hole and the xtask-vs-YAML
placement).

Refs #420, #435, #443, #547. ADR-0003 §2, ADR-0009, ADR-0042.

Closes #543

Signed-off-by: Eduard R. <eduard@ralphovi.net>
eduralph added a commit to getwyrd/wyrd that referenced this pull request Jul 13, 2026
…the shipped-artifact wall

`cargo deny --all-features check advisories` surfaces six advisories, every one of
them reachable only through tikv-client 0.4.0 behind the off-by-default `tikv`
feature. There is no patch to take: tikv-client 0.4.0 pins tonic 0.10 -> rustls 0.21
-> the vulnerable rustls-webpki, and the upstream fix (tikv/client-rust#541, merged
2026-06-26) has never been released. So write the boundary down rather than chase a
release that is not coming.

The exceptions go in a SEPARATE config, not deny.toml
cargo-deny's `[advisories] ignore` entries are keyed by advisory ID alone — there is
no crate- or feature-scoping — so an entry applies to the whole graph it is used
with. Parking the tikv-client exceptions in deny.toml would mean the wall guarding the
SHIPPED ARTIFACT carried them too, and a future default dependency that pulled an
affected version of the same crate would be silently waved through — holing the exact
guarantee that file exists to make. So:

  * deny.toml              — the default graph, i.e. what we ship. Zero backend
                             exceptions, and a test pins that it stays that way.
  * deny-all-features.toml — the off-by-default `fdb`/`tikv` trees, which the default
                             run cannot see at all.

`cargo xtask ci` runs BOTH walls. Keeping the second in xtask rather than in workflow
YAML matters: `cargo xtask ci` is the documented local equivalent of the Rust gate
(ADR-0009), so a YAML-only audit would pass on a laptop and fail only in CI. It costs
seconds — cargo-deny resolves Cargo.lock and compiles nothing.

Both walls now audit unsoundness across the WHOLE graph
`unsound = "all"`, on both. cargo-deny's default scope is `workspace` — our own crates
only — and since every crate we link is transitive, the wall was blind to precisely the
class of bug it exists for. It was hiding a real one in the SHIPPED graph:
RUSTSEC-2026-0190, UB in anyhow's `Error::downcast_mut()` after `Error::context`. That
is fixed here by bumping anyhow to the patched 1.0.103 — the wall goes green on a fix,
not on a waiver. In the optional graph the same scope raises RUSTSEC-2026-0097 (rand
0.7.3 <- fail <- tikv-client), which is ignored on the same terms as the rest of that
tree. An earlier draft of this change asserted the opposite — that unsound advisories
were "not checkable" because cargo-deny had no `unsound` key. That was wrong: the key
exists and takes a scope, and `unsound = "deny"` had failed to parse as an invalid
VALUE, not an unknown key. Caught in review.

The comments are explicit that this is a statement about the shipped artifact and NOT a
claim that the TiKV leg is safe: RUSTSEC-2026-0104 is a live DoS in the TLS
cert-validation path for anyone who builds --features tikv and talks TLS-with-CRLs.

Two places this departs from the issue as filed:

- The delete-condition is not "#443 removes the feature". #443 stands TiKV down but
  RETAINS it, so these entries have no scheduled end. They are deleted by a tikv-client
  release carrying #541, or by an explicit future decommission decision. Recorded as
  such, with a 2027-01-31 review trigger so "tracked, not waived" cannot decay into a
  permanent silent waiver of a high-severity advisory.
- The rand 0.7.3 question resolves to "it needs an entry after all" — see above.

Also corrects the AUDIT POLICY header, which claimed the off-by-default FDB tree "IS
audited here" by the default `cargo deny check`. It is not: that invocation passes no
feature flags, so foundationdb, libloading and tikv-client are absent from the graph it
walks — which is why ISC has always warned `license-not-encountered`. That warning also
exposes a real gap the header now names rather than papers over: the ADR-0003 LICENCE
wall does not cover the optional trees at all (#547).

Verified: both walls green (`cargo deny check`; `cargo deny --all-features --config
deny-all-features.toml check advisories`), and the same all-features graph WITHOUT the
new config still shows every tikv advisory, so the split is not a no-op. `cargo xtask ci`
green, running both walls. Tests pin the invariants: no backend exception in deny.toml,
and `unsound = "all"` in both. typos clean. `codex review` to clean.

Depends on #549 (#548): `cargo deny` is red on main until the yanked spin is bumped.

Refs #420, #435, #443, #547. ADR-0003 §2, ADR-0009, ADR-0042.

Closes #543

Signed-off-by: Eduard R. <eduard@ralphovi.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved dco-signoff: yes Indicates the PR's author has signed the dco. lgtm size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants