Maturing installation options

Could Rust move away from recommending curl | sh as the way to install Rust? At my current company curl | sh has been an obstacle to getting Rust approved as a permissible language. Just dropping files from the Internet on our servers is not allowed.

  • It’s a pain to use it on managed servers. Configuration management tools (ansible/puppet/chef/salt/etc.) know how to manage packages well, but can’t do much with an arbitrary script.

  • The script is not versioned. It’s not easy to freeze or revert to an older version, so it can break the infrastructure at any moment (this has just happened with the 1.18.0 release).

  • curl | sh as a solution doesn’t look serious or mature. It has a reputation of being an avenue for an undetectable hack. This reputation is IMO irrational, but nevertheless, I don’t want to keep introducing people to Rust by first defending a hack they’re afraid of.

Users who ignore curl | sh recommendation are likely to end up in even worse situation. The pace of Rust releases, and adoption of new versions by crates ecosystem, is too fast for most Linux distros. Users who install an old version packaged by a Linux distro end up having a really really bad time. Many crates don’t work, even basic tutorials and code examples may not work. Compile errors from Rust/Cargo are very misleading (demand feature flags and nightly editions, instead of upgrading to the current stable).

So overall users end up being told to do something that looks like a dirty hack, and if they choose to install from their trusted reliable source instead, they end up with a “broken” Rust that gives them only compilation errors, even on the examples from Rust’s home page.

My suggestion is:

  • For Linux, offer official APT and RPM repositories. This bypasses distro release schedules that are incompatible with Rust, gives security assurance users expect (signing keys), and compatibility with mature, production-ready deployment tooling.

  • For macOS, suggest using rustup from an installer package (rustup, not just a specific Rust version, because rustup is a necessary component in practice), and mentioning Homebrew. Homebrew is preferred by many developers, but it needs brew install rustup-init, rather than brew install rust (this duplication of packages is unfortunate, and perhaps rustup should detect it?).

  • For Windows, there’s another topic.

For example, Node.js:

16 Likes

Also, if we offered a deb or rpm, we can offer the corresponding SHA sum, which is nicer than just trusting curl…

curl | sh is not the only available option to obtain a Rust install.

2 Likes

Yes, there are other options, but none of them are APT, which I think is problematic. I think LLVM’s APT setup is a good example to follow.

2 Likes

Defaults matter. https://www.rust-lang.org/tools/install

Shows:

Using rustup (Recommended)

curl https://sh.rustup.rs -sSf | sh

And the other page has overwhelming amount of text and links, and still shows curl | sh hack as the first option.

4 Likes

Except that if you get the SHA hash and the download link from the same page, verifying the hash gives you no additional security. That is, at least if it’s a bare hash rather than a GPG signature…

1 Like

True. A bare hash helps detect file corruption or errors during download; detection of deliberate forgery requires a hash that’s been signed asymmetrically by a trusted source.

Sure my point is that it’s hard to do that with the current curl | sh strategy