Import Rust vendoring document #66
Conversation
This comment has been minimized.
This comment has been minimized.
slyon
force-pushed
the
rust-vendoring
branch
from
5bcea6e
to
156aca9
Compare
|
CC @liushuyu @schopin-pro @samkamer -- Please let me know if you're fine with this move of the page. |
|
Is this documentation rendered anywhere? |
Only through GitHub, e.g.: https://github.com/slyon/ubuntu-mir/blob/rust-vendoring/vendoring/Rust.md |
| @@ -0,0 +1,114 @@ | |||
| # Rust code in main | |||
|
|
|||
| Due to the current state of the Rust ecosystem, the MIR rules state that packages in main that contain Rust code should vendor their Rust dependencies rather than rely on the individual package versions, see [cpaelzer/ubuntu-mir#3](https://github.com/cpaelzer/ubuntu-mir/pull/3) for some background on the issue. | |||
There was a problem hiding this comment.
It'd be nice to update this link when appropriate, how do we remember to do that?
There was a problem hiding this comment.
The link points to some historical reference, why do you think we should update this? IMO, we should rather re-write our Rust MIR rules (for doing less vendoring) and drop this reference eventually.
We can use this PR for discussing such improvements, but I have the impression we're not yet at a point where we can enforce non-vendored Rust packages. Somebody (Foundations/Toolchain?) still need to lay the groundwork of having a set of core packages available, i.e. as suggested in #35
There was a problem hiding this comment.
Actually, I wonder if we should still enforce the vendoring mandate, today. Maybe we should still ALLOW for vendoring Rust crates, but allow package maintainers to use the librust-*-dev packages from the archive, too. That way we could gradually move away from the vendoring, especially for Rust dependencies that are considered to be stable by the package maintainers. And run a proper MIR process on those selected rust-* source packages.
@liushuyu Do you think this would be feasible already, or is the Rust ecosystem still moving too fast?
This would mean we need to also adopt the corresponding section in the README: "The rust ecosystem currently isn't yet considered stable enough for classic lib dependencies and transitions in main; therefore the expectation for those packages is to vendor (and own/test) all dependencies (except those provided by the rust runtime itself)."
|
I believe vendoring directly to For gnome-snapshot, I used the Debian Policy § 4.16 convention of using So the commands to create and update the vendoring are: Add a patch like this: diff --git a/.cargo/config b/.cargo/config
new file mode 100644
index 0000000..8c56c72
--- /dev/null
+++ b/.cargo/config
@@ -0,0 +1,5 @@
+[source.crates-io]
+replace-with = "debian"
+
+[source.debian]
+directory = "debian/missing-sources" |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
|
I documented gnome-snapshot's vendoring workflow at https://salsa.debian.org/ubuntu-dev-team/snapshot/-/blob/ubuntu/latest/debian/README.source |
Maybe we can take a page from Node.js, where you can have another source package |
@liushuyu I really like this approach. Could you provide an example of such a Rust package and describe how it's being done? A similar approach of a vendoring .orig tarball has also been suggested by others in the past, e.g.: https://blog.shadura.me/2020/12/22/vendoring-rust-in-debian-derivative/ |
slyon
force-pushed
the
rust-vendoring
branch
from
156aca9
to
c3b68f7
Compare
This comment has been minimized.
This comment has been minimized.
slyon
force-pushed
the
rust-vendoring
branch
from
0f66db9
to
149b433
Compare
|
s390-tools uses that approach.
…On Tue, 17 Sept 2024, 12:08 Lukas Märdian, ***@***.***> wrote:
Maybe we can take a page from Node.js, where you can have another source
package <name>.orig-vendor.tar.xz. Some other Rust packages are doing
this way instead.
@liushuyu <https://github.com/liushuyu> I really like this approach.
Could you provide an example of such a Rust package and describe how it's
being done?
—
Reply to this email directly, view it on GitHub
<#66 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXZP7I2NAPT3U2WSA446L3ZW75SJAVCNFSM6AAAAABNR2CPJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNJVGE3DKOJRGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This comment has been minimized.
This comment has been minimized.
check-spelling run (pull_request_target) for rust-vendoring Signed-off-by: check-spelling-bot <[email protected]> on-behalf-of: @check-spelling <[email protected]>
slyon
force-pushed
the
rust-vendoring
branch
from
8cde2e6
to
adda2c5
Compare
Importing the "RustCodeInMain" wiki page and transforming it to Markdown: https://wiki.ubuntu.com/RustCodeInMain
Also updating the README.md file to reference the documentation around the
dh-cargotooling.Fixes #65