Could Rust move away from recommending
curl | sh as the way to install Rust? At my current company
curl | sh has been an obstacle to getting Rust approved as a permissible language. Just dropping files from the Internet on our servers is not allowed.
It’s a pain to use it on managed servers. Configuration management tools (ansible/puppet/chef/salt/etc.) know how to manage packages well, but can’t do much with an arbitrary script.
The script is not versioned. It’s not easy to freeze or revert to an older version, so it can break the infrastructure at any moment (this has just happened with the 1.18.0 release).
curl | shas a solution doesn’t look serious or mature. It has a reputation of being an avenue for an undetectable hack. This reputation is IMO irrational, but nevertheless, I don’t want to keep introducing people to Rust by first defending a hack they’re afraid of.
Users who ignore
curl | sh recommendation are likely to end up in even worse situation. The pace of Rust releases, and adoption of new versions by crates ecosystem, is too fast for most Linux distros. Users who install an old version packaged by a Linux distro end up having a really really bad time. Many crates don’t work, even basic tutorials and code examples may not work. Compile errors from Rust/Cargo are very misleading (demand feature flags and nightly editions, instead of upgrading to the current stable).
So overall users end up being told to do something that looks like a dirty hack, and if they choose to install from their trusted reliable source instead, they end up with a “broken” Rust that gives them only compilation errors, even on the examples from Rust’s home page.
My suggestion is:
For Linux, offer official APT and RPM repositories. This bypasses distro release schedules that are incompatible with Rust, gives security assurance users expect (signing keys), and compatibility with mature, production-ready deployment tooling.
For macOS, suggest using rustup from an installer package (rustup, not just a specific Rust version, because rustup is a necessary component in practice), and mentioning Homebrew. Homebrew is preferred by many developers, but it needs
brew install rustup-init, rather than
brew install rust(this duplication of packages is unfortunate, and perhaps rustup should detect it?).
For Windows, there’s another topic.
For example, Node.js:
- Recommends installers for desktop platforms.
- Has install instructions and packages for dozens of distros/package managers.
- Has apt and rpm repositories with latest packages for several OSes. This one is technically 3rd party, but a very useful resource.