Packaging Rust for Fedora

Yes, Rust 1.0 was quite spartan... but you can still compile what you wrote for it in modern Rust assuming you don't fall into one of the exceptions like "this code only compiled because of a compiler bug".

I'm not saying there isn't duplication of effort in Rust-land, but it is generally easier to share code. Most crates use a common and very permissive license, use the cargo build system, use the same coding style, are cross platform, rely on the stdlib and the language for expressiveness instead of having to first NIH a ton of data structures and macros etc.

If you are referring to Flatpaks, Fedora is increasingly using it. GNOME Software supports it and Fedora has Flathub (with a filter) enabled by default in the workstation edition. There is also ongoing work to expand the scope of that as well including https://pagure.io/fedora-workstation/issue/300.

Ubuntu has several snaps used by default as well.

Apple requires developers to constantly stay on the bleeding edge with tools and platform releases, at the risk of having their stuff summarily booted from the App Store. Sure the latest release lets you target all (supported) prior releases with a single binary, but the point is that developers still have to generate and then submit those new binaries (including any necessary adjustments due to the latest platform changes that are often incompatible with prior releases, plus comply with whatever new requirements Apple has decided to impose since their last submission. (I'm talking iOS here, though MacOS has been pushing steadily in this direction too)

One can make a reasonable argument that this is actually a good thing for the overall platform health, but forward compatible it is not, and it's rather specious to decry Linux for this but praise Apple for the same.

> The "Corresponding Source" for a work in object code form means all
> the source code needed to generate, install, and (for an executable
> work) run the object code and to modify the work, including scripts to
> control those activities. However, it does not include the work's
> System Libraries, or general-purpose tools or generally available free
> programs which are used unmodified in performing those activities but
> which are not part of the work. For example, Corresponding Source
> includes interface definition files associated with source files for
> the work, and the source code for shared libraries and dynamically
> linked subprograms that the work is specifically designed to require,
> such as by intimate data communication or control flow between those
> subprograms and other parts of the work.

So if the thing you're downloading is a "generally available free program," then it does not need to be included. Since the material in question is *possible* to download from the internet (presumably, from an automated script with no human intervention), that strongly suggests that it is generally available at least.

While the preamble of the license does talk about free software in general terms, neither the preamble nor the definitions section give an explicit description of what exactly qualifies as a "free" program (for example, the four freedoms are nowhere to be found). Courts will use the dictionary definition, and (probably) conclude that a "free" program is one which costs $0. I'm sure this would annoy the hell out of RMS, but that is how courts read contracts and licenses - only the material within the four corners of the document is part of the agreement. The fact that the Free Software Foundation chooses to use the word "free" in a way that is different from the general public is, legally, their problem, and they need to clarify that in the license if they want courts to respect it.

My last gig was in the medical field, where it could take 5+ years to get something in front of the first customer, and needs to be supported for a minimum of 10 years beyond that. The project I was working on involved a lot of 3rd-party Python code, and I am not exaggerating when I say that keeping up with and resolving python module incompatibilities consumed the majority of my time. We would routinely have one build to the next fail because a non-pinned three-layers-deep sub-dependency changed underneath us. On top of different sub components trying to pin different major versions of the same underling library. One of the last things I ran into, just before the whole group was shut down, was a dependency started requiring a newer version of python than our underlying platform provided.

Combine that with researchers just pulling in whatever python libraries they wanted, often (by necessity) on the bleeding edge. So each build would routinely pull down hundreds of python packages from the internet, on top of a custom debbootstrap'd Ubuntu build for our custom boards using bleeding-edge Xilinx SoCs -- It took over three hours to put together the bootable flash image, when everything worked.

I warned the powers that be that this was at best a prototype and that in order for it to be remotely supportable for the 15-year product lifecycle, we'd have to invest a _lot_ more into it, including (at minimum) a complete private mirror of Ubuntu, the python/pip and nodejs ecosystems, and a couple dozen github repos. But really, if we wanted this to be anything other than a toy/tech demo it would need to be rewritten, probably in C++ as that was what most of the rest of the company's long-term-maintained software was written in -- easily tens of millions of lines.

But anyway. In order to pass certification, we'd have to be able to prove the provenance of every bit of code running and guarantee the ability to recreate any given deployed build for fifteen years -- which means we can't rely on _anything_ downloaded from the public internet at build-time.

It’s this clamping down devs object to, even though it happens the same way distro and magma-side, because it is materially impossible to check every possible artifact version under the sun, and even the magmas are not rich enough yet to attempt it.

So my proposal was to use cargo --locked with a distribution-owned copy of crates.io. That means exactly the opposite of a "blind internet pull". I means neatly a curated listed of packages that distribution can audit and lock down precisely.

> The reason the stupid gratuitous inflation of artifact numbers and versions works for the magmas but not for distributions is that the magmas have more (paid) people to hurl at checking their repositories than distributions.

Not at all. Modern tooling like rust is finally getting the reusability of software components right. Many rust crates do one thing, and do one thing very well. Some crates are very sophisticated and some serve a simple purpose; either way, you don't want to open-code all these components yourself. Do you want to open-code how to get the terminal size, for all the unixes and Windows etc or use a simple crate? I do, I don't want to waste time getting some icky ioctl right on some little-used OS, and even if I did, my code will almost certainly have bugs in it because it is not as widely tested.

The tooling provided by distributions is no good for software development. I want to be able to select versions of libraries, not just the one provided by the distribution, possibly point it towards a git repo where I have some of my own patches. I want automatic (recursive) dependency downloading, based on semver. I want to be able to enable features on libraries, not just the features the distribution provides (i.e. ./configure --enable-foo etc). All of this simply by having a simple config file which lists by dependencies, which I can update at any time without changing my distribution. This is what rust/cargo provides.

In my 30 years of software development it has been a constant that the distribution does not provide the version/fix/etc I need, so I have to work around it. The distribution package tooling is utterly useless for software development so very few software developers use it.

I get that the task for distributions is so much harder because of it. How about working upstream with cargo/rust? It's a very warm and welcoming community. Surely there something we can fix together. The result would be amazing.

Can you provide concrete examples of such changes?

1. It takes a lot of time to rebuild packages. This can't be helped, but computing is pretty cheap these days.

2. It takes a lot of bandwidth to distribute the updates. This is mostly because the current package update infrastructure is horribly wasteful. It forces users to re-download the whole package if only a handful of bytes are changed. That's why OSTree with delta-encoding would also help a lot for system packages. User-level apps should be sandboxed and can also use delta-updates.

And yet, I'm pretty sure Debian does it regularly and pretty routinely. Though maybe not with glibc (it's a small nightmare of its own).