The State of Rust Tarballs

vorner · 2019-01-04T13:18:10.388Z

Hello

I’d like to add another use case.

I work at Avast (though in different department than the one responsible for this). What Avast wants to do is to consider rust binaries as „trusted source“ ‒ basically, there’s a big database of „likely malware“ and „likely clean“ binaries and the chance of flagging rustc.exe as malware is smaller if it gets into the „likely clean set“ (and rustc.exe does some things that make it suspicious for an AV ‒ like writing other binaries). Considering it as malware is not good for Avast, and it is not good for Rust.

Some time ago there was a setup that crawled and downloaded the releases and added them to the „likely clean“. But it recently stopped working, probably because of that 404 there. I wanted to report that 404, but I didn’t have the time to find out where exactly to send the report yet.

So, it would be nice if that page (or any other page) started to work again. The tarballs/zips (?) as they are now are fine for this use case (as is probably any other archive), though.

arielb1 · 2019-01-04T14:40:41.457Z

I agree that having tarballs work is a good idea, and that the tarball 404 should be fixed…

About a year ago, it was possible to use Rust by extracting the tarballs and pointing PATH to the right place.

Since codegen backends arrived, you also need to have the lib directory on your library search path (e.g. LD_LIBRARY_PATH). It might be a good idea to fix this.

bsundsrud · 2019-01-04T14:51:05.760Z

How does this work with rustup then? Does it somehow fiddle with your LD_LIBRARY_PATH when you call cargo/rustc?

arielb1 · 2019-01-04T14:57:24.426Z

I’m not quite sure what it does.

EDIT: extracting the tarball does work, because the rust-libs component contains all the libs in rust-nightly-x86_64-unknown-linux-gnu/rust-std-x86_64-unknown-linux-gnu/lib/rustlib/x86_64-unknown-linux-gnu/lib/, and has codegen backends in rust-nightly-x86_64-unknown-linux-gnu/rustc/lib/rustlib/x86_64-unknown-linux-gnu/codegen-backends.

mbrubeck · 2019-01-04T15:05:42.617Z

bsundsrud:

How does this work with rustup then? Does it somehow fiddle with your LD_LIBRARY_PATH when you call cargo/rustc?

Yes. For rustup users, the cargo and rustc binaries in the PATH are wrappers that set up the environment based on the selected toolchain, then call out to the actual cargo/rustc binaries.

github.com

rust-lang/rustup.rs/blob/25f476dba7c38719b41df1896d83af68349e8016/src/rustup/toolchain.rs#L411-L455


fn set_env(&self, cmd: &mut Command) {
    self.set_ldpath(cmd);


    // Because rustup and cargo use slightly different
    // definitions of cargo home (rustup doesn't read HOME on
    // windows), we must set it here to ensure cargo and
    // rustup agree.
    if let Ok(cargo_home) = utils::cargo_home() {
        cmd.env("CARGO_HOME", &cargo_home);
    }


    env_var::inc("RUST_RECURSION_COUNT", cmd);


    cmd.env("RUSTUP_TOOLCHAIN", &self.name);
    cmd.env("RUSTUP_HOME", &self.cfg.rustup_dir);
}


pub fn set_ldpath(&self, cmd: &mut Command) {
    let new_path = self.path.join("lib");

This file has been truncated. show original

arielb1 · 2019-01-04T15:09:57.518Z

mbrubeck:

Yes. For rustup users, the cargo and rustc binaries in the PATH are wrappers that set up the environment based on the selected toolchain, then call out to the actual cargo/rustc binaries.

Actually, if you set up things “properly”, using the tarball in dist does work. The problem is when you use the component tarballs.

bsundsrud · 2019-01-04T16:56:31.874Z

What kind of setup is involved? Because its starting to sound like the rustup wrappers are actually required to utilize things like components/targets, which would be a troubling state of affairs.

arielb1 · 2019-01-04T20:01:24.426Z

No setup, just combine all the bin and lib directories and call bin/rustc.

bsundsrud · 2019-01-04T20:37:26.769Z

arielb1:

The problem is when you use the component tarballs.

What’s this referring to then? I feel like I’m more confused than when I started this thread. Does manually combining the bin and lib dirs work for all components, including other compile targets? Does it require messing with LD_LIBRARY_PATH?

On a separate note, why is rustup’s wrapper messing with LD_LIBRARY_PATH instead of that being up to cargo/rustc, which seems that it should actually be concerned with the location of its libs? Is that not a concern that a user of non-rustup Rust also have to contend with and would be better solved for everyone?

nagisa · 2019-01-07T08:19:10.831Z

NB: dated directories still have indexes. They even “work” for directories that do not exist yet.

Screwtapello · 2019-01-07T11:46:18.541Z

bsundsrud:

Build and CI springs immediately to mind; if you care about reproducibility you want to also make sure you’re using an exact version of a toolchain in addition to an exact version of a codebase. I believe it’s also an extra inhibition to people finding a Rust project, getting interested, and trying to compile from source.

You may be interested in my rustbud toolchain manager, or maybe a future version of it once I’ve finished porting it to Rust. It does downloading and hashing and verifying like rustup does, but it lets you put a file in your codebase that specifies an exact, specific version of Rust - by URL, if necessary, so your CI doesn’t depend on Rust’s hosted binaries.

bsundsrud:

Does manually combining the bin and lib dirs work for all components, including other compile targets? Does it require messing with LD_LIBRARY_PATH ?

Basically, rustc looks for its various libraries at in a particular path relative to the binary location. If you take all the component tarballs that rustup/rustbud download, figure out which files are metadata and which files need to be installed, then copy them all into a common directory prefix, they Just Work and nobody needs to set LD_LIBRARY_PATH or run ldconfig or anything.

bsundsrud · 2019-01-07T11:50:52.332Z

This seems like a good argument to just fix the tarballs. Since relative paths to the libs work, just changing the directory tree in the tarball would obviate the need for rustbud or for large swaths of code in rustup.

BatmanAoD · 2019-01-10T21:09:51.185Z

Discussing these issues is now on the Infra team agenda for their next weekly meeting, which will be on the 15th; however, it is relatively low priority.

jethrogb · 2019-01-11T09:08:14.465Z

bsundsrud:

The download page

The Rust installation tarballs seem a bit neglected. The download page (https://forge.rust-lang.org/other-installation-methods.html ) only lists tarballs for the latest versions, and only for full distributions (not components or targets). The link to past releases 404’s (https://static.rust-lang.org/dist/index.html ), and there is no visible way to download the targets that don’t have rustc/cargo (looking at x86_64-unknown-linux-musl in particular), and no way to browse for them because of the aforementioned 404.

Related: https://github.com/rust-lang/rust/issues/56971

Soni · 2019-01-11T09:20:54.954Z

we could also get torrent tarballs to be completely sure the server didn’t tamper with them since last time you downloaded them.

bsundsrud · 2019-01-11T09:26:54.901Z

Torrents seem overwrought for this, tar + hash is just as strong. If you’re really wanting to make sure its repeatable/reproducible, you’re not trusting the server’s signature except for the first time you build with it, and then you save that hash and make sure the next time you build, you’re using the same hash you used previously.

bsundsrud · 2019-01-11T09:32:59.092Z

jethrogb:

Related: https://github.com/rust-lang/rust/issues/56971

I don’t have discord for myself so I can’t go see the arguments but is the problem really that we can’t generate static indexes for an S3 bucket?

jethrogb · 2019-01-11T09:44:05.438Z

bsundsrud:

I don’t have discord for myself so I can’t go see the arguments but is the problem really that we can’t generate static indexes for an S3 bucket?

Yes

Soni · 2019-01-11T11:54:55.102Z

And the server can just DoS you then. Torrents are DoS-resistant.

bsundsrud · 2019-01-13T12:53:53.177Z

The delivery mechanism of the tarball/filetree is a separate layer of concern. It’s the layout of the tarball that I’m concerned with, how its delivered can be up to user preference (http, rustup+http, personal S3, torrents, IPFS).