Skip to content

feat: switch to using rumqttc fork to resolve potential security issues#4145

Draft
reubenmiller wants to merge 1 commit intothin-edge:mainfrom
reubenmiller:feat-switch-rumqttc-fork
Draft

feat: switch to using rumqttc fork to resolve potential security issues#4145
reubenmiller wants to merge 1 commit intothin-edge:mainfrom
reubenmiller:feat-switch-rumqttc-fork

Conversation

@reubenmiller
Copy link
Copy Markdown
Contributor

@reubenmiller reubenmiller commented Apr 24, 2026

Proposed changes

Switch to using a rumqttc fork (https://github.com/thehouseisonfire/rumqtt). There is a discussion here on the upstream project about the need for a fork, bytebeamio/rumqtt#1029.

Currently below shows the impact of switching to the fork (it may be incomplete):

  • rumqttc fork only contains rumqttc (not rumqttd), so we'll also have to fork the upstream rumqtt project to update the rumqttd test dependencies (to avoid having to still have project wide CVE ignore rules)
  • Requires upgrading MSRV to 1.89 (from 1.85)
  • Some rumqttc interfaces that we use for logging have moved from being public to private making them inaccessible (loss of functionality)

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue


Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
  • I ran just format as mentioned in CODING_GUIDELINES
  • I used just check as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@reubenmiller
feat: switch to using rumqttc fork to resolve potential security issues
f725460 
Signed-off-by: reubenmiller <reuben.d.miller@gmail.com>
reubenmiller
reubenmiller commented Apr 24, 2026
View reviewed changes
Comment thread crates/extensions/tedge_mqtt_bridge/src/mqtt_logging.rs
Comment on lines +172 to +173
fn set_pending(&mut self, _requests: Vec<Request>) {
// No-op: pending management is handled internally by the fork's EventLoop.
Copy link
Copy Markdown
Contributor Author

@reubenmiller reubenmiller Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an unacceptable change! The fork no longer gives us access to the status, so we'll have to access if there is another way to provide the logging.

reubenmiller
reubenmiller commented Apr 24, 2026
View reviewed changes
Comment thread Cargo.toml
authors = ["thin-edge.io team <info@thin-edge.io>"]
edition = "2021"
rust-version = "1.85"
rust-version = "1.89"
Copy link
Copy Markdown
Contributor Author

@reubenmiller reubenmiller Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switching to the fork requires bumping the MSRV

reubenmiller
reubenmiller commented Apr 24, 2026
View reviewed changes
Comment thread deny.toml
Comment on lines +77 to +79
{ id = "RUSTSEC-2026-0049", reason = "crate: rustls-webpki 0.102.x. Used by rumqttd (test-only broker) which pins ^0.102.x; incompatible with the fixed 0.103.10. No fix available in the 0.102.x line" },
{ id = "RUSTSEC-2026-0098", reason = "crate: rustls-webpki 0.102.x. Used by rumqttd (test-only broker) which pins ^0.102.x; no fix in the 0.102.x line" },
{ id = "RUSTSEC-2026-0099", reason = "crate: rustls-webpki 0.102.x. Used by rumqttd (test-only broker) which pins ^0.102.x; no fix in the 0.102.x line" },
Copy link
Copy Markdown
Contributor Author

@reubenmiller reubenmiller Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To address these, we'll probably need to fork the rumqtt (upstream) project, and just update the rumqttd components ourselves...this should be a lower risk/impact since we only use it for tests.

@thehouseisonfire
Copy link
Copy Markdown

thehouseisonfire commented May 2, 2026

Hi @reubenmiller, I saw this linked over at my issue.

Anything you need help with from my end?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Bravo555 Bravo555 Awaiting requested review from Bravo555 Bravo555 will be requested when the pull request is marked ready for review Bravo555 is a code owner

@didier-wenzek didier-wenzek Awaiting requested review from didier-wenzek didier-wenzek will be requested when the pull request is marked ready for review didier-wenzek is a code owner

@albinsuresh albinsuresh Awaiting requested review from albinsuresh albinsuresh will be requested when the pull request is marked ready for review albinsuresh is a code owner

@jarhodes314 jarhodes314 Awaiting requested review from jarhodes314 jarhodes314 will be requested when the pull request is marked ready for review jarhodes314 is a code owner

@rina23q rina23q Awaiting requested review from rina23q rina23q will be requested when the pull request is marked ready for review rina23q is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reubenmiller @thehouseisonfire