perf(deps): drop aws-lc-rs from non-FIPS builds, use ring backend#1219
Open
duncanista wants to merge 1 commit intomainfrom
Open
perf(deps): drop aws-lc-rs from non-FIPS builds, use ring backend#1219duncanista wants to merge 1 commit intomainfrom
duncanista wants to merge 1 commit intomainfrom
Conversation
Base automatically changed from
jordan.gonzalez/dependencies/libdatadog-32.0.0
to
main
May 5, 2026 21:25
Bottlecap previously enabled `rustls/aws-lc-rs` directly AND pulled
ring transitively via `libdd-common/https`, so default builds
linked both crypto backends and shipped ~1.5 MiB of unused machine
code (aws-lc-sys alone is ~543 KiB stripped per cargo-bloat).
Switch to a single provider per mode:
* default: ring (the libdatadog default — comes via
libdd-common/https → rustls/ring + hyper-rustls/ring).
* fips: aws-lc-rs (FIPS-validated — comes via rustls/fips +
libdd-common/fips → hyper-rustls/fips).
Drops the hardcoded `aws-lc-rs` feature on the rustls direct dep and
makes the explicit `default_provider().install_default()` calls in
http_client.rs and trace_processor.rs cfg-conditional on the
bottlecap `fips` feature.
Verified via `cargo tree`:
* `--features default`: ring ✓ pulled, aws-lc-rs ✗ absent
* `--no-default-features --features fips`: aws-lc-rs ✓ pulled,
ring ✗ absent
Production layer build (arm64, non-FIPS):
bottlecap stripped: 11,709,896 → 10,137,032 B (−1,572,864 B, −13.4%)
layer zip: 5,324,844 → 4,528,013 B ( −796,831 B, −15.0%)
duncanista
force-pushed
the
jordan.gonzalez/dependencies/drop-aws-lc-rs-default
branch
from
7d8c7f2 to
c4e191d
Compare
litianningdatadog
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacks on top of #1218. Drops the duplicate
aws-lc-rscrypto provider from non-FIPS builds, leaving a single backend per mode. Cuts ~15% off the deployed layer zip on its own.bottlecapstripped (arm64)datadog_extension.zip(arm64)Why this exists
Until #1218 landed the libdatadog gating fixes, bottlecap was pulling both
ringandaws-lc-rsinto every build:ringcame in transitively vialibdd-common/https → rustls/ring + hyper-rustls/ringaws-lc-rswas hardcoded directly viarustls = { features = ["aws-lc-rs"] }inbottlecap/Cargo.toml, plus explicitrustls::crypto::aws_lc_rs::default_provider().install_default()calls inhttp_client.rsandtrace_processor.rsThe libdatadog gating from DataDog/libdatadog#1943 fixed the transitive path, but bottlecap's direct
aws-lc-rsusage remained. Result: thedb05e1fbump in #1218 keeps both providers linked into the binary and ships ~1.5 MiB of unused machine code (aws-lc-sysalone is ~543 KiB stripped percargo bloat, and the surrounding rustls / hyper-rustls / boringssl glue makes up the rest).Change
bottlecap/Cargo.toml— drop theaws-lc-rsfeature from the rustls direct dep:The provider now flows in transitively per mode:
default:libdd-common/https→rustls/ringfips:bottlecap/fips→rustls/fips(FIPS-validated aws-lc-rs)bottlecap/src/traces/http_client.rs— makeensure_crypto_provider_initializedcfg-conditional on the bottlecapfipsfeature sorustls::crypto::ring::default_provideris used in non-FIPS andrustls::crypto::aws_lc_rs::default_provideronly in FIPS.bottlecap/src/traces/trace_processor.rs— same cfg split for the test-helperdefault_provider().install_default()call.Verification
cargo tree:Build script's FIPS dep check still passes:
Risk
This is a real behavior change for non-FIPS deployments — TLS goes from
aws-lc-rstoringas the default provider. Both are FIPS-incapable in non-FIPS builds anyway (the FIPS variant lives behindrustls/fips), so the user-visible difference is limited to TLS internals (cipher suite priority list, perf characteristics, supported algorithms).ringis the libdatadog-wide default and is what every other libdd-* consumer in the workspace ends up on after #1943, so this aligns bottlecap with the rest of the ecosystem.Should be smoke-tested in a real Lambda environment before merging — the dev-server path and a representative trace/metric flush should both work end-to-end.
Test plan
cargo check --all-targets(default features)cargo clippy --workspace --all-targets --features defaultcargo clippy --workspace --all-targets --no-default-features --features fips— FIPS dep check still passescargo tree— verified single provider per modeARCHITECTURE=arm64 FIPS=false ./scripts/build_bottlecap_layer.sh— built successfully, sizes aboveBase
Stacked on #1218 (libdatadog
db05e1fbump + HttpClientTrait adoption). Will rebase tomainonce that lands.