0.102 release planning

[djc]

Let's gather some context for release blockers

• Update pki-types to 1.0

Done:

• Switch to using the pki-types crate #147
• verify_cert: bound name constraint comparisons. #165
• Budget tweaks #164
• Further limits on expensive path building #163
• verify_cert: correct handling of fatal errors. #168
• rustls-webpki returns an error when parsing DNS names from a certificate generated using cfssl #167
• Expose GeneralDnsNameRef #50
• Optionally support aws-lc-rs #158
• Expose built path in public API #174
• Fix Budget in CertRevocationList trait.
• Push RevocationOptions into pki-types to avoid public webpki type in rustls API?
• Migrate to pki-types ServerName #207

[cpu]

Added a few more items to the list (most of which are already merged).

[cpu]

Almost there 🎉

[djc]

I think we should defer releasing the final version of this until the final rustls release is also ready, in order to avoid creating more semver-incompatible version branches (that we have to maintain according to our maintenance policy) if it still turns out that we have some churn in the API we want for rustls.

[cpu]

That sounds good to me.

[djc]

Thought about the requirements before release some more, added 3 items.

[cpu]

Push RevocationOptions into pki-types to avoid public webpki type in rustls API?

We chatted about this one in a Discord thread. Making this change will require moving a lot of types into pki-types, most of which are actually specific to webpki and don't look like they would generalize well to other verifiers. There are some additional downsides to this approach as well, like having to un-seal the CertRevocationList trait.

The line-item mentions leaking types into the rustls API but presently the webpki revocation types only appear in the webpki verifier bits that are already specific to webpki. The rustls/rustls#1430 issue that may have motivated this change can be accomplished by wrapping the webpki verifier so it doesn't seem like it would justify the work involved.

In sum: I think we're going to table this idea for the 0.22 release and encourage 1430 be solved with other workarounds.

[ctz]

Push ServerName type into pki-types so it can be shared with rustls?

That would include DnsName I suppose, so we could remove the duplication there (though it has a modest amount of behaviour for a crate that is so far mostly structural).

I guess moving this up could theoretically be a non-breaking change? In the sense that both webpki and rustls could reexport the moved type? That is assuming the type we move is a superset of webpki::DnsName and rustls::DnsName?

[ctz]

Aside from some release engineering (taking pki-types to 1.0, editing versions here) I think this is done?

[djc]

Yeah, I think so!

[ctz]

https://crates.io/crates/rustls-webpki/0.102.0