commit: c49d4e391789b9b46f3310845e153d3aa4b74646
parent ec2c5473d3120c4f02406740cf6857e5a217f48a
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Wed, 24 Sep 2025 23:29:20 +0200
notes/bootstrapping: mrustc got in Gentoo, replace "supply-chain" usage about cargo
Diffstat:
1 file changed, 26 insertions(+), 8 deletions(-)
diff --git a/notes/bootstrapping.shtml b/notes/bootstrapping.shtml
@@ -95,22 +95,40 @@
<h3 id="rust">Rust</h3>
<p>
- There is <a href="https://github.com/thepowersgang/mrustc">mrustc</a> but it's quite unstable and so far GuixSD seems to be the only distro using it.
- Getting to stable also involves compiling the intermediary versions.
- Rustc also vendors several other projects like LLVM and rust crates (enjoy non-installable libraries), similarly to other rust software.
+ There is <a href="https://github.com/thepowersgang/mrustc">mrustc</a>
+ (packaged in Guix and Gentoo)
+ but it tends to lag behind by about ten 1.x versions,
+ which sadly you each need to compile as intermediary steps.
+ Rustc also vendors several other projects like LLVM and rust crates
+ (enjoy non-installable libraries), similarly to other rust software.
</p>
<p>
- GCC Rust Frontend is also not ready yet (2023-03) for userland, as <a href="#cargo">cargo</a> doesn't bootstraps…
+ GCC Rust Frontend is also not ready yet (2023-03) for userland,
+ as <a href="#cargo">cargo</a> doesn't bootstraps…
</p>
<h3 id="cargo">Cargo</h3>
<p>
- As if rustc not bootstrapping wouldn't be enough, cargo, the buildsystem+dependency-installer for Rust software depends on <a href="https://github.com/rust-lang/cargo/blob/master/Cargo.toml">~60 direct libraries</a>, notably including 2+ git libraries, HTTP Authentication, OpenSSL.<br />
- Cargo isn't a buildsystem, it's a full blown package manager, supply chain troublemaker (<a href="https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html">via designed-vulnerable crates.io</a>), …
+ As if rustc being a bootstrapping problem wouldn't be enough, cargo,
+ the buildsystem+dependency-installer for Rust software depends on
+ <a href="https://github.com/rust-lang/cargo/blob/master/Cargo.toml">~60 direct libraries</a>,
+ notably including 2+ git libraries, HTTP Authentication, and OpenSSL.<br />
</p>
<p>
- It really ought to be replaced by something which only takes care of building code (or even just generating a <code>Makefile</code> or a <code>build.ninja</code> file), as was done in the C ecosystem many times in the past (pkg-config ⇒ <a href="https://gitea.treehouse.systems/ariadne/pkgconf">pkgconf</a>, ninja ⇒ <a href="https://github.com/michaelforney/samurai">samurai</a>, …).<br />
- This isn't a system that scales, this is just creating a gigantic blob of software that cannot be reasonably audited, right in the toolchain.
+ Cargo isn't a buildsystem, it's a full blown package manager
+ and a troublemaker when it comes to dependency management due to
+ <a href="https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html">designed-vulnerable crates.io</a>.
+ </p>
+ <p>
+ It really ought to be replaced by something which only
+ takes care of building code (or even just generating
+ a <code>Makefile</code> or a <code>build.ninja</code> file),
+ as was done in the C ecosystem many times in the past
+ (pkg-config ⇒ <a href="https://gitea.treehouse.systems/ariadne/pkgconf">pkgconf</a>,
+ ninja ⇒ <a href="https://github.com/michaelforney/samurai">samurai</a>,
+ …).<br />
+ This isn't a system that scales, this is just creating a gigantic blob
+ of software that cannot be reasonably audited, right in the toolchain.
</p>
<h3 id="java">Java</h3>