Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add http & https asset sources #16366

Open
wants to merge 39 commits into
base: main
Choose a base branch
from

Conversation

mrchantey
Copy link
Contributor

@mrchantey mrchantey commented Nov 13, 2024

Objective

Solution

  • Add http & https asset sources

Testing

  • Verify visually by running cargo run --example http_source

Showcase

Bevy now supports assets loaded via url!

Add the http_source and optionally http_source_cache features.

  // Simply use a url where you would normally use an asset folder relative path
  let handle = asset_server.load("https://raw.githubusercontent.com/bevyengine/bevy/refs/heads/main/assets/branding/bevy_bird_dark.png");
  commands.spawn(Sprite::from_image(handle));

@mrchantey
Copy link
Contributor Author

It looks like surf and http-cache-surf have failed licence, vunerability & unmaintaned checks. Does that mean they're not allowed as first party dependencies?

@BenjaminBrienen
Copy link
Contributor

It's possible to add an exception for the licenses, but unmaintained and vulnerable is pretty bad.

@IQuick143 IQuick143 added C-Feature A new feature, making something new possible A-Assets Load files from disk to use for things like images, models, and sounds C-Dependencies A change to the crates that Bevy depends on X-Contentious There are nontrivial implications that should be thought through D-Modest A "normal" level of difficulty; suitable for simple features or challenging fixes S-Needs-Review Needs reviewer attention (from anyone!) to move forward labels Nov 13, 2024
@mnmaita
Copy link
Member

mnmaita commented Nov 13, 2024

This could be done with something like reqwest maybe to avoid using the unmaintained crates. I successfully ran the example with it but my code is probably bad 😅. I can still push a PR as a showcase in case it serves as inspiration.

Copy link
Contributor

@MalekiRe MalekiRe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep this looks awesome to me! Also I wasn't aware of the surf crate; I'll have to keep it in mind for any bevy dashboards I make in the future

@mrchantey
Copy link
Contributor Author

I can still push a PR as a showcase in case it serves as inspiration.

@mnmaita actually that would be great, I've replaced surf and http-cache-surf with reqwest line for line but am a bit stuck at the moment with reqwest demanding to be run inside a tokio runtime.

// crates/bevy_asset/src/http_source.rs#134

    let client = reqwest_middleware::ClientBuilder::new(Client::new())
        .with(Cache(HttpCache {
            mode: CacheMode::Default,
            manager: CACacheManager::default(),
            options: HttpCacheOptions::default(),
        }))
        .build();

    let response = ContinuousPoll(client.get(str_path).send())
        .await

@jf908
Copy link
Contributor

jf908 commented Nov 15, 2024

FWIW surf has a bug where any erroring http response >8kb stops every subsequent request from succeeding and is unlikely to ever be fixed which made me unable to use bevy_web_asset so I would personally appreciate a switch 😄.

If you can't get reqwest to work perhaps hyper would suffice since it's already in the dep tree for BRP? Perhaps too low level for this.

@mrchantey
Copy link
Contributor Author

The council of bevy async wizards has spoken and we're going with ureq. It doesn't currently have a http-cache wrapper but I've opened an issue and the author might look into creating one when they have time. I guess its worth waiting a bit to see if ureq will get first party support before rolling our own http-cache wrapper, in which case this pr is ready for review :)

A few notes:

  • We're still failing check-advisories & check-licences
  • I used gh codespaces so wasnt able to cargo run --example http_source, can somebody please try running that?

Copy link
Contributor

You added a new example but didn't add metadata for it. Please update the root Cargo.toml file.

@jf908
Copy link
Contributor

jf908 commented Nov 19, 2024

  • I used gh codespaces so wasnt able to cargo run --example http_source, can somebody please try running that?

Tested on Windows 11. The example prints a 404 error when the .meta file fails to load and doesn't show the sprite.

If I configure AssetPlugin to AssetMetaCheck::Never, it runs correctly.

I believe the asset is still supposed to load successfully even if the .meta file 404s so I think this is a bug?

@BenjaminBrienen BenjaminBrienen added S-Waiting-on-Author The author needs to make changes or address concerns before this can be merged and removed S-Needs-Review Needs reviewer attention (from anyone!) to move forward labels Nov 20, 2024
@BenjaminBrienen
Copy link
Contributor

We're still failing check-advisories & check-licences
I used gh codespaces

You can ignore that. It isn't a required check. Once those 2 small issues above are fixed, this should be in a pretty good state, I think.

@BenjaminBrienen BenjaminBrienen added S-Needs-Review Needs reviewer attention (from anyone!) to move forward and removed S-Waiting-on-Author The author needs to make changes or address concerns before this can be merged labels Dec 23, 2024
@mockersf
Copy link
Member

mockersf commented Dec 23, 2024

a decision on authorising licenses unicode 3.0 and MPL 2.0 need to be taken before merging this PR

@alice-i-cecile alice-i-cecile added S-Ready-For-Final-Review This PR has been approved by the community. It's ready for a maintainer to consider merging it and removed S-Needs-Review Needs reviewer attention (from anyone!) to move forward labels Dec 23, 2024
@alice-i-cecile
Copy link
Member

a decision on authorising licenses unicode 3.0 and MPL 2.0 need to be taken before merging this PR

Previous Unicode licenses are already allowed and it is extremely permissive.

MPL 2.0 is already in tree under off-by-default feature flags for various audio formats. This doesn't strike me as any different, and MPL is not dangerously viral to use as a dependency in the same way as e.g. AGPL.

@mockersf
Copy link
Member

mockersf commented Dec 24, 2024

then they should be added to the license check config, otherwise every other pr after will have failed ci

@mrchantey
Copy link
Contributor Author

mrchantey commented Dec 24, 2024

Last license issue is ring (ureq > rustls dep) which has a custom license:

error[unlicensed]: ring = 0.17.8 is unlicensed
  ┌─ registry+https://github.com/rust-lang/crates.io-index#[email protected]:2:9
  │
2 │ name = "ring"
  │         ━━━━ a valid license expression could not be retrieved for the crate
3 │ version = "0.17.8"
4 │ license = ""
  │            ─ license expression was not specified
5 │ license-files = [
6 │     { path = "/home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ring-0.17.8/LICENSE", hash = 0xbd0eed23, score = 0.66, license = "OpenSSL" },
  │                                                                                                                                  ──── low confidence in the license text

@mockersf
Copy link
Member

could you try to remove the dependency on ring by disabling default feature also on the dev-dependency to ureq?

@mockersf
Copy link
Member

ring comes from rustls support, which is enabled by default with the tls feature

This means that we force our users to use rustls, but also that someone has to properly review that license

@mockersf
Copy link
Member

mockersf commented Dec 24, 2024

from the license:

  1. All advertising materials mentioning features or use of this
    software must display the following acknowledgment:
    "This product includes software developed by the OpenSSL Project
    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

Seems kind of a pain. I think it means we won't be able to talk about the engine being able to download things from https without copying that

@alice-i-cecile
Copy link
Member

Looking at the ring license, it appears to be mostly MIT.

However:

    1. All advertising materials mentioning features or use of this software
  • must display the following acknowledgement:
  • "This product includes cryptographic software written by
  • Eric Young ([email protected])"
    

This clause is super annoying. It looks like it's a very old amateur license from 1995 or so. The practical risk is low, but we should not allow this license. Can we change features around to avoid ring?

@alice-i-cecile alice-i-cecile added S-Waiting-on-Author The author needs to make changes or address concerns before this can be merged M-Needs-Release-Note Work that should be called out in the blog due to impact and removed S-Ready-For-Final-Review This PR has been approved by the community. It's ready for a maintainer to consider merging it labels Dec 24, 2024
@alice-i-cecile alice-i-cecile added this to the 0.16 milestone Dec 24, 2024
@alice-i-cecile
Copy link
Member

See briansmith/ring#1827 for a tracking issue for the upstream licensing stuff. We very much shouldn't try to wait on that.

@mrchantey
Copy link
Contributor Author

From what i can gather on these ureq issues, the new rustls default is aws-lc-rs instead of ring. It seems to have better licensing but worse devx, requiring non-rust dependencies for windows builds.
algesten/ureq#751
algesten/ureq#765

@alice-i-cecile
Copy link
Member

Bah, okay. Can we ship without https support by default and leave the choice up to the end user? I don't particularly care about encrypting e.g. example assets TBH.

@mrchantey
Copy link
Contributor Author

Sounds good, i guess most users of this feature will need it because just about everything is https these days.

The workaround is in the Cargo.toml dev-dependencies because the http_source example uses https://raw.githubusercontent/.../bevy_bird_dark.png.

We can add tls when ring sorts its license out and in the meantime adding https suppport is a one-liner:

# enable bevy https asset loader
ureq = { version = "*", features = ["tls"] }

check-licenses

check-licenses still isnt happy, i think it cant distinguish a dev-dependency when its the same crate that we're toggling a feature on:

 ├ ring v0.17.8
    ├── rustls v0.23.20
    │   └── ureq v2.12.1
    │       ├── (dev) bevy v0.15.0-dev
    │       └── bevy_asset v0.15.0-dev

Copy link
Member

@alice-i-cecile alice-i-cecile left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once there's a note or two about the license in the docs I'm happy to merge this.

@mockersf
Copy link
Member

I don't think it's worth it to merge this without https support

Nowadays everything is https. hiding the license behind a not enabled feature is not a fix, because for pretty much all use cases it will need to be enabled and the license issue solved

@mockersf mockersf added X-Controversial There is active debate or serious implications around merging this PR and removed X-Contentious There are nontrivial implications that should be thought through labels Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-Assets Load files from disk to use for things like images, models, and sounds C-Dependencies A change to the crates that Bevy depends on C-Feature A new feature, making something new possible D-Modest A "normal" level of difficulty; suitable for simple features or challenging fixes M-Needs-Release-Note Work that should be called out in the blog due to impact S-Waiting-on-Author The author needs to make changes or address concerns before this can be merged X-Controversial There is active debate or serious implications around merging this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature: Upstream bevy_web_asset, allowing assets loaded via http
9 participants