notes/bootstrapping: mrustc got in Gentoo, replace "supply-chain" usage about cargo - blog

commit: c49d4e391789b9b46f3310845e153d3aa4b74646
parent ec2c5473d3120c4f02406740cf6857e5a217f48a
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Wed, 24 Sep 2025 23:29:20 +0200

notes/bootstrapping: mrustc got in Gentoo, replace "supply-chain" usage about cargo

Diffstat:
M notes/bootstrapping.shtml 34 ++++++++++++++++++++++++++--------

1 file changed, 26 insertions(+), 8 deletions(-)
diff --git a/notes/bootstrapping.shtml b/notes/bootstrapping.shtml
@@ -95,22 +95,40 @@
 
 			<h3 id="rust">Rust</h3>
 			<p>
-				There is <a href="https://github.com/thepowersgang/mrustc">mrustc</a> but it's quite unstable and so far GuixSD seems to be the only distro using it.
-				Getting to stable also involves compiling the intermediary versions.
-				Rustc also vendors several other projects like LLVM and rust crates (enjoy non-installable libraries), similarly to other rust software.
+				There is <a href="https://github.com/thepowersgang/mrustc">mrustc</a>
+				(packaged in Guix and Gentoo)
+				but it tends to lag behind by about ten 1.x versions,
+				which sadly you each need to compile as intermediary steps.
+				Rustc also vendors several other projects like LLVM and rust crates
+				(enjoy non-installable libraries), similarly to other rust software.
 			</p>
 			<p>
-				GCC Rust Frontend is also not ready yet (2023-03) for userland, as <a href="#cargo">cargo</a> doesn't bootstraps…
+				GCC Rust Frontend is also not ready yet (2023-03) for userland,
+				as <a href="#cargo">cargo</a> doesn't bootstraps…
 			</p>
 
 			<h3 id="cargo">Cargo</h3>
 			<p>
-				As if rustc not bootstrapping wouldn't be enough, cargo, the buildsystem+dependency-installer for Rust software depends on <a href="https://github.com/rust-lang/cargo/blob/master/Cargo.toml">~60 direct libraries</a>, notably including 2+ git libraries, HTTP Authentication, OpenSSL.<br />
-				Cargo isn't a buildsystem, it's a full blown package manager, supply chain troublemaker (<a href="https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html">via designed-vulnerable crates.io</a>), …
+				As if rustc being a bootstrapping problem wouldn't be enough, cargo,
+				the buildsystem+dependency-installer for Rust software depends on
+				<a href="https://github.com/rust-lang/cargo/blob/master/Cargo.toml">~60 direct libraries</a>,
+				notably including 2+ git libraries, HTTP Authentication, and OpenSSL.<br />
 			</p>
 			<p>
-				It really ought to be replaced by something which only takes care of building code (or even just generating a <code>Makefile</code> or a <code>build.ninja</code> file), as was done in the C ecosystem many times in the past (pkg-config ⇒ <a href="https://gitea.treehouse.systems/ariadne/pkgconf">pkgconf</a>, ninja ⇒ <a href="https://github.com/michaelforney/samurai">samurai</a>, …).<br />
-				This isn't a system that scales, this is just creating a gigantic blob of software that cannot be reasonably audited, right in the toolchain.
+				Cargo isn't a buildsystem, it's a full blown package manager
+				and a troublemaker when it comes to dependency management due to
+				<a href="https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html">designed-vulnerable crates.io</a>.
+			</p>
+			<p>
+				It really ought to be replaced by something which only
+				takes care of building code (or even just generating
+				a <code>Makefile</code> or a <code>build.ninja</code> file),
+				as was done in the C ecosystem many times in the past
+				(pkg-config ⇒ <a href="https://gitea.treehouse.systems/ariadne/pkgconf">pkgconf</a>,
+				ninja ⇒ <a href="https://github.com/michaelforney/samurai">samurai</a>,
+				…).<br />
+				This isn't a system that scales, this is just creating a gigantic blob
+				of software that cannot be reasonably audited, right in the toolchain.
 			</p>
 
 			<h3 id="java">Java</h3>