rust-asn1 VS urllib3

> I feel like this really only makes sense if pyca/cryptography had planned on adding the Rust dependency from the very beginning (or from very early on). Is there any indication that was the case?

I am sure this idea surfaced several times in IRC or possibly in the mailing lists. Certainly, the authors have been toying with handling ASN.1 in rust since 2015 [1], which I guess will be the next logical step.

I do agree that this is mostly a political stance. pyca/cryptography is a wrapper sandwiched between a gigantic runtime written in C (CPython/PyPy) and a gigantic library written in C (openssl).

The addition of Rust as dependency enables the inclusion of just 90 lines of Rust [2] where the only part that really couldn't be implemented in pure Python is a line copied from OpenSSL [3] (i.e. it was already available), and which is purely algebraic, therefore not mitigating any real memory issue at all (the reason to use rust in the first place).

The change in this wrapper (pyca/cryptographic) does not move the needle of security in any significant way, and it is really only meant to send the signal that adding Rust in all other Python packages and especially in the runtime itself will now come at no (political) cost.

[1] https://github.com/alex/rust-asn1

[2] https://github.com/pyca/cryptography/blob/main/src/rust/src/...

[3] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1i/inclu...

As opposed to what the article says, urllib3 now has experimental support for browser as of Jan 30th.

Source: https://github.com/urllib3/urllib3/releases/tag/2.2.0

Then, I tried to get a firm grip on urllib3 base code, contributing this and there until I was ready to kick things up with a proof of concept that would have put urllib3 far ahead. Without any breaking changes. I was delusional. This was a bit of a shock, but six months passed between my initial kick off and my formal give up, and here's why in a nutshell:

Oh wow, thanks for this story! Would love to hear more if you have time :) Good luck with testing it out.

Note that we found an issue w/ emitting an InsecureRequestWarning by default. The request is perfectly secure, it's just we aren't telling the ConnectionPool that information (see: https://github.com/urllib3/urllib3/issues/3331)

I've had a good experience doing a couple of bug fix bounties for urllib3 https://github.com/urllib3/urllib3/issues . I'd be interested in how the maintainers how found running the bug bounty and if it's given them more useful fixes or if it just adds more noise to deal with

ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with LibreSSL 2.8.3. See: https://github.com/urllib3/urllib3/issues/2168

> Could not import extension sphinx.builders.linkcheck (exception: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with OpenSSL 1.0.2n 7 Dec 2017. See: https://github.com/urllib3/urllib3/issues/2168)

This error is coming from Python, it's telling us Python is failing to import the urllib3 library, these lines here are important:

Requests allows you to send HTTP/1.1 requests extremely easily. There’s no need to manually add query strings to your URLs, or to form-encode your POST data. Keep-alive and HTTP connection pooling are 100% automatic, thanks to urllib3.

Judging projects based on stars is really immature. for example everyone knows requests https://github.com/psf/requests the python package that is used in every python project out there. it has 47k star too WOW. but the thing that less people know is urllib3. https://github.com/urllib3/urllib3. it has only 3k stars. It basically does the heavy lifting for requests!!

urllib3 – Python HTTP library with thread-safe connection pooling, file post support, user friendly, and more