Skip to content

Automated releases fail: OpenSSL cross-compilation errors on all targets #37

New issue
New issue
Open
Open
Automated releases fail: OpenSSL cross-compilation errors on all targets#37
Labels
bugSomething isn't workingrelease
@mostronatorcoder

Description

@mostronatorcoder
mostronatorcoder
bot
opened on Mar 15, 2026

Problem

PR #32 added automated multi-arch release workflow, but all releases fail due to cross-compilation errors.

Evidence:

Failed targets:

  • x86_64-unknown-linux-musl
  • aarch64-unknown-linux-musl
  • armv7-unknown-linux-gnueabi
  • x86_64-pc-windows-gnu
  • x86_64-unknown-freebsd

Root Cause

OpenSSL dependency in reqwest:

reqwest = { version = "0.13.2", features = ["native-tls", "json", "http2"] }

native-tlsopenssl-sys → requires system OpenSSL headers for each target architecture during cross-compilation.

Why it fails:

  • Cross-compilation with native-tls requires installing libssl-dev for each target
  • Requires custom Docker configuration (pre-build hooks or Dockerfiles)
  • Complex arch mapping (amd64, arm64, armhf for Debian packages)
  • Not supported out-of-the-box by cross tool

Solution: Switch to rustls (Pure Rust TLS)

Change:

- reqwest = { version = "0.13.2", features = ["native-tls", "json", "http2"] }
+ reqwest = { version = "0.13.2", features = ["rustls", "json", "http2"] }

Benefits:

  • ✅ No system dependencies (pure Rust crypto)
  • ✅ Cross-compilation works out-of-the-box with cross
  • ✅ No Docker configuration needed
  • ✅ Same HTTPS functionality
  • ✅ Portable across all platforms

Trade-offs:

  • Binary size increases ~200KB
  • Uses webpki-roots instead of system CA store (acceptable for mostrix use case)

Alternative Considered: Fix Cross.toml

Option: Add pre-build hooks to install OpenSSL for each target.

Why rejected:

Verdict: Vendored crypto (rustls) is simpler and more reliable.

Impact

Current state:

  • Automated releases broken
  • Manual binary distribution required
  • Users cannot download pre-built binaries from GitHub releases

After fix:

  • Automated releases work for all 5 architectures
  • GitHub releases include binaries + SHA256 manifest
  • Users can download and verify binaries

Implementation Plan

  1. Modify Cargo.toml:

    - reqwest = { version = "0.13.2", default-features = false, features = ["native-tls", "json", "http2"] }
+ reqwest = { version = "0.13.2", default-features = false, features = ["rustls", "json", "http2"] }

  2. Validate:

    cargo fmt
cargo clippy --all-targets --all-features -- -D warnings
cargo test

  3. Verify no OpenSSL dependency:

    cargo tree | grep openssl
# Should return empty

  4. Test cross-compilation locally (optional):

    cross build --release --target x86_64-unknown-linux-musl
cross build --release --target aarch64-unknown-linux-musl

  5. Create PR with changes

  6. Re-trigger release:

    • After PR merge, create new tag (e.g., v0.1.5)
    • Workflow should succeed for all 5 targets

Acceptance Criteria

  • Cargo.toml updated to use rustls instead of native-tls
  • cargo tree shows no openssl-sys dependency
  • All validation passes (fmt, clippy, test)
  • Release workflow succeeds for all 5 targets
  • GitHub release created with 5 binaries + manifest
  • Binaries are verified to work on respective platforms

Related

Estimated Effort

  • Code change: 1 line (Cargo.toml)
  • Validation: 5 minutes
  • PR review/merge: depends on review cycle
  • Re-trigger release: create new tag → automatic

Total time: ~15 minutes of active work + review time

Priority

High — Automated releases are a key feature for distribution. Users expect pre-built binaries.

Labels

bug, release, cross-compilation, dependencies

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingrelease

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions