On Wednesday, November 20, 2019 12:53:06 AM CET William Brown wrote:
On 20 Nov 2019, at 05:57, John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> wrote:
On 11/19/19 7:15 PM, Jan Engelhardt wrote: An alternative would be to devote the manned resources to not grow minute dependencies on large stacks. (That ship has probably sailed in terms of firefox-in-the-distro, (...)
Unless Firefox has changed since the last time I touched the codebase, I'm pretty sure that it has all the Rust crates vendored which it needs. So, Firefox alone shouldn't be a problem.
I think Rust projects will always tend to vendoring, because the huge micro-dependency style system that exists means we'll never keep up trying to package these.
For tarballs that comes from upstream can be the case, but I am not sure that this ideal for openSUSE.
Kanidm has ~200 crate indirect dependencies on it's own, I can't imagine how many firefox has. It's a waste of our time to try to package all 200 when we could be putting that time into other things instead.
You already pointed a reason of why doing this effort makes sense: security updates. We have a full build system designed to track the dependencies, and build the required subset automatically. Throwing that out of the window for a new language is IMO wrong. We do traditionally vendoring in Java, but an heroic effort of one developer is changing this, reusing solutions from Fedora, RedHat or Debian, and a lot of smart work.
This essentially means we are always at the whims of those vendored dependencies and what they require, and that is highly likely to be the "latest" stable compiler.
I think we should aim to:
* Have rustc/cargo move with the upstream cadence, with automation as suggested into all SLE/LEAP/TW/Other
* Do not attempt to package crates - only package leaves IE consuming
+1, I think that this is a good starting point. Neal, what do you think of the idea from Ludwig of having a system rust compiler (more stable and conservative, used to build all the openSUSE rings), and a updated version of the compiler co-installable for developers. projects I do not agree here. The effort of designing scripts to update the crates, macros that will help, supporting multiple versions of the same crate, etc is so big compared with `cargo vendor`! Maybe we can do something similar of what go is doing: https://en.opensuse.org/openSUSE:Packaging_Go Maybe using only BuildRequires instead of both Requires and BuildRequires if this is possible, and designing a similar set of macros here. Neal, what is the plan in Fedora for this?
* Improve our rust macros and packaging guides around this topic.
Yes.
As much as we want to wring our hands and slow down rust, and do things "our way" we can't - we have to follow and adapt in this case.
So where do we start to start to achieve this?
You are making very hard questions : )) I am personally in a phase that I try to have a view of what we want, and what are the good decisions. Fedora and Debian communities are spending a lot of thinking here, so before moving I want to have more information. -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nuremberg Germany (HRB 36809, AG Nürnberg) Managing Director: Felix Imendörffer