logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/
commit: c49d4e391789b9b46f3310845e153d3aa4b74646
parent ec2c5473d3120c4f02406740cf6857e5a217f48a
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Wed, 24 Sep 2025 23:29:20 +0200

notes/bootstrapping: mrustc got in Gentoo, replace "supply-chain" usage about cargo

Diffstat:

Mnotes/bootstrapping.shtml34++++++++++++++++++++++++++--------
1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/notes/bootstrapping.shtml b/notes/bootstrapping.shtml @@ -95,22 +95,40 @@ <h3 id="rust">Rust</h3> <p> - There is <a href="https://github.com/thepowersgang/mrustc">mrustc</a> but it's quite unstable and so far GuixSD seems to be the only distro using it. - Getting to stable also involves compiling the intermediary versions. - Rustc also vendors several other projects like LLVM and rust crates (enjoy non-installable libraries), similarly to other rust software. + There is <a href="https://github.com/thepowersgang/mrustc">mrustc</a> + (packaged in Guix and Gentoo) + but it tends to lag behind by about ten 1.x versions, + which sadly you each need to compile as intermediary steps. + Rustc also vendors several other projects like LLVM and rust crates + (enjoy non-installable libraries), similarly to other rust software. </p> <p> - GCC Rust Frontend is also not ready yet (2023-03) for userland, as <a href="#cargo">cargo</a> doesn't bootstraps… + GCC Rust Frontend is also not ready yet (2023-03) for userland, + as <a href="#cargo">cargo</a> doesn't bootstraps… </p> <h3 id="cargo">Cargo</h3> <p> - As if rustc not bootstrapping wouldn't be enough, cargo, the buildsystem+dependency-installer for Rust software depends on <a href="https://github.com/rust-lang/cargo/blob/master/Cargo.toml">~60 direct libraries</a>, notably including 2+ git libraries, HTTP Authentication, OpenSSL.<br /> - Cargo isn't a buildsystem, it's a full blown package manager, supply chain troublemaker (<a href="https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html">via designed-vulnerable crates.io</a>), … + As if rustc being a bootstrapping problem wouldn't be enough, cargo, + the buildsystem+dependency-installer for Rust software depends on + <a href="https://github.com/rust-lang/cargo/blob/master/Cargo.toml">~60 direct libraries</a>, + notably including 2+ git libraries, HTTP Authentication, and OpenSSL.<br /> </p> <p> - It really ought to be replaced by something which only takes care of building code (or even just generating a <code>Makefile</code> or a <code>build.ninja</code> file), as was done in the C ecosystem many times in the past (pkg-config ⇒ <a href="https://gitea.treehouse.systems/ariadne/pkgconf">pkgconf</a>, ninja ⇒ <a href="https://github.com/michaelforney/samurai">samurai</a>, …).<br /> - This isn't a system that scales, this is just creating a gigantic blob of software that cannot be reasonably audited, right in the toolchain. + Cargo isn't a buildsystem, it's a full blown package manager + and a troublemaker when it comes to dependency management due to + <a href="https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html">designed-vulnerable crates.io</a>. + </p> + <p> + It really ought to be replaced by something which only + takes care of building code (or even just generating + a <code>Makefile</code> or a <code>build.ninja</code> file), + as was done in the C ecosystem many times in the past + (pkg-config ⇒ <a href="https://gitea.treehouse.systems/ariadne/pkgconf">pkgconf</a>, + ninja ⇒ <a href="https://github.com/michaelforney/samurai">samurai</a>, + …).<br /> + This isn't a system that scales, this is just creating a gigantic blob + of software that cannot be reasonably audited, right in the toolchain. </p> <h3 id="java">Java</h3>