Packaging Rust for Fedora

Posted Oct 30, 2022 12:26 UTC (Sun) by ssokolow (guest, #94568)
In reply to: Packaging Rust for Fedora by seanyoung
Parent article: Packaging Rust for Fedora

As I understand it, being someone who maintains a flatpak and helped get another one prepared:

1. Unified auditing. All dependencies have their sources and hashes pinned down in a single, unified record.

2. Separation of sandbox rules between the download phase (only tools like flatpak-builder can run code, network access) and the build phase (arbitrary package code runs, no network access)

Part #2 helps to prevent things like using package code to co-opt your build machine/farm as a vector to skirt around your border firewall and attack softer targets within your LAN. (Assuming, of course, that this is a "this LAN builds distributables for package X but doesn't run them" situation.)

Packaging Rust for Fedora

Posted Oct 30, 2022 15:25 UTC (Sun) by gilnaa (guest, #161422) [Link] (4 responses)

You can achieve this by hosting your own registry, which is basically just another http server.

Packaging Rust for Fedora

Posted Oct 30, 2022 16:16 UTC (Sun) by mathstuf (subscriber, #69389) [Link]

Note that my idea (that I've posted about before) is that installing a Rust package puts its crate into a machine-local registry. This would allow for automatic resolution to distro-provided versions based on `BuildRequires:` and the like.

Note that just rehosting `crates.io` might not be preferrable since they can be post-codegen steps (of various kinds) and instead `cargo publish` into this registry that is then pulled out during some `rpm-cargo-*` macro magic would probably be a better mechanism.

Packaging Rust for Fedora

Posted Oct 30, 2022 16:18 UTC (Sun) by ssokolow (guest, #94568) [Link] (2 responses)

How does that solve the "unified" requirement? A flatpak manifest puts all the hashes and URLs in the same JSON or YAML file, regardless of what language each dependency is written in.

Packaging Rust for Fedora

Posted Oct 30, 2022 16:43 UTC (Sun) by mathstuf (subscriber, #69389) [Link] (1 responses)

Just because you have the hash doesn't mean you have the source available when you need/want it. If some registry goes down due to a DNS renewal failure, "hostile" acquisition, or other fun things, that hash list is quite useless.

Packaging Rust for Fedora

Posted Oct 30, 2022 17:16 UTC (Sun) by ssokolow (guest, #94568) [Link]

Of course. I'm saying that, just because you have a local Cargo registry, and a Conan registry, and a pip registry, and so on doesn't mean you have a clean, unified, easy-to-use way to check your bill of materials.

Conversely, if you have something like a flatpak manifest, you can use flatpak-builder arguments like --download-only, --disable-download, and --bundle-sources to easily cache and manage access to dependency sources.