`just clippy` does not catch warnings produced by `just dnssec-openssl` about trust-dns HOT 5 OPEN

I'd be open to a PR that introduces the use of cargo-hack similar to what we have in the rustls repo. Might want a separate job for it since it could be pretty slow?

(If you just want to fix the dnssec-openssl warnings, that might be a good start, too.)

@bluejekyll I think you've mentioned wanting to just get rid of OpenSSL-based stuff before, how are you feeling about that project now?

from trust-dns.

I keep hesitating on the removal of OpenSSL because of some of the compliance it has that we're still waiting on for Rustle. I think we should just clean it up instead of fixing up testing related to it, but it wouldn't be hard to fix this.

Today we only test these feature flags directly with clippy:

clippy:
    find {{justfile_directory()}} -name '*.rs' -exec touch {} \;
    just clippy-inner --no-default-features
    just clippy-inner
    just clippy-inner --all-features

We could add this after --all-features, just clippy-inner --features=dnssec-openssl. OpenSSL generally doesn't get caught, because where they conflict, Rustls takes precedent.

from trust-dns.

I keep hesitating on the removal of OpenSSL because of some of the compliance it has that we're still waiting on for Rustle. I think we should just clean it up instead of fixing up testing related to it, but it wouldn't be hard to fix this.

What kind of compliance are we waiting for? I think Rustls is in a pretty good place today.

from trust-dns.

What kind of compliance are we waiting for?

Primarily, FIPS compliance, does this announcement mean that Rustls is FIPS compliant now? https://www.memorysafety.org/blog/rustls-with-aws-crypto-back-end-and-fips/

from trust-dns.

Yes, Rustls from 0.22 onwards supports the aws-lc-rs crypto provider which has a FIPS mode available (on Linux only).

from trust-dns.