commit: daa474c7ad61e4d49da1e8bd8239e879ccee7889
parent 148b4dc9101e1e1580638be6bb8793d894c571b8
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Sun, 19 Mar 2023 17:39:49 +0100
notes/bootstrapping: Cargo…
Diffstat:
1 file changed, 13 insertions(+), 0 deletions(-)
diff --git a/notes/bootstrapping.shtml b/notes/bootstrapping.shtml
@@ -44,6 +44,19 @@
Getting to stable also involves compiling the intermediary versions.
Rustc also vendors several other projects like LLVM and rust crates (enjoy non-installable libraries), similarly to other rust software.
</p>
+ <p>
+ GCC Rust Frontend is also not ready yet (2023-03) for userland, as <a href="#cargo">cargo</a> doesn't bootstraps…
+ </p>
+
+ <h3 id="cargo">Cargo</h3>
+ <p>
+ As if rustc not bootstrapping wouldn't be enough, cargo, the buildsystem+dependency-installer for Rust software depends on <a href="https://github.com/rust-lang/cargo/blob/master/Cargo.toml">~60 direct libraries</a>, notably including 2+ git libraries, HTTP Authentication, OpenSSL.<br />
+ Cargo isn't a buildsystem, it's a full blown package manager, supply chain troublemaker (<a href="https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html">via designed-vulnerable crates.io</a>), …
+ </p>
+ <p>
+ It really ought to be replaced by something which only takes care of building code (or even just generating a <code>Makefile</code> or a <code>build.ninja</code> file), as was done in the C ecosystem many times in the past (pkg-config ⇒ <a href="https://gitea.treehouse.systems/ariadne/pkgconf">pkgconf</a>, ninja ⇒ <a href="https://github.com/michaelforney/samurai">samurai</a>, …).<br />
+ This isn't a system that scales, this is just creating a gigantic blob of software that cannot be reasonably audited, right in the toolchain.
+ </p>
<h3>Java</h3>
<p>Requires compilers abandonned ~10 years ago, currently doesn't builds to OpenJDK for me.</p>
