Could Rust move away from recommending curl | sh as the way to install Rust? At my current company curl | sh has been an obstacle to getting Rust approved as a permissible language. Just dropping files from the Internet on our servers is not allowed.

• It’s a pain to use it on managed servers. Configuration management tools (ansible/puppet/chef/salt/etc.) know how to manage packages well, but can’t do much with an arbitrary script.

• The script is not versioned. It’s not easy to freeze or revert to an older version, so it can break the infrastructure at any moment (this has just happened with the 1.18.0 release).

• curl | sh as a solution doesn’t look serious or mature. It has a reputation of being an avenue for an undetectable hack. This reputation is IMO irrational, but nevertheless, I don’t want to keep introducing people to Rust by first defending a hack they’re afraid of.

Users who ignore curl | sh recommendation are likely to end up in even worse situation. The pace of Rust releases, and adoption of new versions by crates ecosystem, is too fast for most Linux distros. Users who install an old version packaged by a Linux distro end up having a really really bad time. Many crates don’t work, even basic tutorials and code examples may not work. Compile errors from Rust/Cargo are very misleading (demand feature flags and nightly editions, instead of upgrading to the current stable).

So overall users end up being told to do something that looks like a dirty hack, and if they choose to install from their trusted reliable source instead, they end up with a “broken” Rust that gives them only compilation errors, even on the examples from Rust’s home page.

My suggestion is:

• For Linux, offer official APT and RPM repositories. This bypasses distro release schedules that are incompatible with Rust, gives security assurance users expect (signing keys), and compatibility with mature, production-ready deployment tooling.

• For macOS, suggest using rustup from an installer package (rustup, not just a specific Rust version, because rustup is a necessary component in practice), and mentioning Homebrew. Homebrew is preferred by many developers, but it needs brew install rustup-init, rather than brew install rust (this duplication of packages is unfortunate, and perhaps rustup should detect it?).

• For Windows, there’s another topic.

For example, Node.js:

• Recommends installers for desktop platforms.
• Has install instructions and packages for dozens of distros/package managers.
• Has apt and rpm repositories with latest packages for several OSes. This one is technically 3rd party, but a very useful resource.

Also, if we offered a deb or rpm, we can offer the corresponding SHA sum, which is nicer than just trusting curl…

curl | sh is not the only available option to obtain a Rust install.

• You can download the rustup-init binary yourself: https://github.com/rust-lang/rustup.rs/#other-installation-methods. In addition to downloading the newest release, you can also download an explicit version. That’s what the Rust official Docker images do, for example: https://github.com/rust-lang/docker-rust/blob/master/1.34.1/stretch/Dockerfile#L17-L18
• You can use the official Docker images: https://hub.docker.com/_/rust
• You can bypass rustup entirely and download the distribution tarball yourself: https://forge.rust-lang.org/other-installation-methods.html

Yes, there are other options, but none of them are APT, which I think is problematic. I think LLVM’s APT setup is a good example to follow.

Defaults matter. Install Rust - Rust Programming Language

Shows:

Using rustup (Recommended)

curl https://sh.rustup.rs -sSf | sh

And the other page has overwhelming amount of text and links, and still shows curl | sh hack as the first option.

Except that if you get the SHA hash and the download link from the same page, verifying the hash gives you no additional security. That is, at least if it’s a bare hash rather than a GPG signature…

True. A bare hash helps detect file corruption or errors during download; detection of deliberate forgery requires a hash that's been signed asymmetrically by a trusted source.

Sure my point is that it’s hard to do that with the current curl | sh strategy

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.