chore(bindings): release

[toidiu]

Please DONT merge until #4393 has been merged

Description of changes:

The diff going out as part of the release: v1.4.2...v1.4.3

Testing:

I ran cargo publish --dry-run --allow-dirty and caught a bunch of build-dependency issues. More on there in the comments: #4388 (comment)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[Mark-Simulacrum]

This doesn't feel like the right approach to me. Pinning transitive(!) dependencies like this is forcing the costs of lower MSRV on all downstream consumers, rather than letting them deal with it as they see fit (e.g., patching these crates to a lower version, keeping an older crates.io index as-of that version, etc.) -- and for consumers that are happy to use latest Rust, this forces them to use stale or many versions of your dependencies.

[Mark-Simulacrum]

(It obviously doesn't need to block this PR, since it seems like a pre-existing decision, just wanted to leave a comment)

[toidiu]

I started investigating this on other platforms and I dont see an issue when building this on linux. Converting this to draft while I finish investigating

[toidiu]

aws-lc-rs was behaving differently on Mac vs Linux because of bindgen build logic on those platforms. aws-lc has a PR to to pin bindgen deps and test it in CI.

---

The behavior I was seeing:
Mac:

• new git clone: fails ‘cargo build’
• new git clone: fails ‘cargo publish --dry-run’

Linux:

• new git clone: success ‘cargo build’
• new git clone: success ‘cargo publish --dry-run’

[toidiu]

This doesn't feel like the right approach to me. Pinning transitive(!) dependencies like this is forcing the costs of lower MSRV on all downstream consumers

Its not ideal but in order to guarantee that the project can be built and run with the MSRV we advertise, we need to restrict these. I think that the pain we live with until we can update to a higher MSRV. Hopefully that day is not too far in the future.

[camshaft]

This isn't the right approach. It needs to be done in dev-dependencies. Applications will, unfortunately, need to do the same if they want to build on older rustc versions.

[toidiu]

Spoke offline, seems that even though build-deps is what these dependencies are being used for, we want to pin them at the dev-deps since those dont get passed onto the application.

[toidiu]

updated in c01822e

[Mark-Simulacrum]

This isn't the right approach. It needs to be done in dev-dependencies. Applications will, unfortunately, need to do the same if they want to build on older rustc versions.

I see, so the goal of this is purely for your own CI to check that you're still satisfying msrv? I think typically folks do that by checking in a minimum version compatible lockfile rather than needing to manually do things like this.

[toidiu]

checking in a minimum version compatible lockfile

What is this method? Do you have a link to a sample proj or link to a tool?

[camshaft]

You should only need to do this once for the whole workspace. I would just do it in the generate crate.

[toidiu]

Let me test and verify.

generate already has those restrictions and it still fails https://github.com/aws/s2n-tls/blob/main/bindings/rust/generate/Cargo.toml#L13

At the minimum I need the pinning in s2n-tls-sys. I am testing by pulling down a fresh copy of s2n-tls and running the ./generate.sh script on my Mac.

[toidiu]

Tested with a fresh clone of s2n-tls and leaned up in: ffb7edb