Add optional support for prebuilt binaries#86
Conversation
|
Hey! Thanks for opening the PR. I’m not really convinced yet that pre-built binaries are a good idea (my stance on them has changed a bit over time). The first two points (not wanting to install rustup/disk-space feel easily fixable to me), but the third warrants a conversation:
Why not just pre-cache all deps you need in advance/ship them to the air-gapped environment? If that requires some support in this library, then that’s definitely something I’d be willing to support here. |
|
I fully agree with you. I don't think prebuilt binaries should be used either, as they pose a major supply chain risk. That's why the feature is fully optional, non-intrusive, and must be explicitly opted into by the user. I'd also encourage users to always build from source and if they don't, at least to build and host the prebuilt binaries themselves (if you'd like me to point this out more clearly in the README, I could easily do that).
Sure, that's possible. Yet the correct toolchain will need to be installed through
Would you mind explaining what you have in mind for fixing this another way? I honestly have some doubts about whether that's possible, especially regarding the disk space issue. It is not only the The disk space issue was also mentioned in the original issue that brought me here. I just realized that I forgot to mention the main reason why I would like to have this feature. A full rebuild after a For these reasons, I thought that this feature might be useful for other users, and I was hoping it would be well received. I also felt that the implementation was quite simple and straightforward, but of course I'll defer to your judgment on whether it belongs in the project. |
2 participants
This is an attempt to add support for prebuilt binaries that are downloaded from a remote server instead of building from source on an opt-in basis.
Reasoning
This feature is useful if downstream users want to avoid installing
rustupor if they want to avoid building from source due to constrained disk space.Additionally this also allows building in air-gapped environments without internet access, if the prebuilt binaries are served via a local server.
Design
The feature is roughly modeled after the support for precompiled binaries in cargokit.
At build-time the hook will check if there is a
native_toolchain_rust.tomlfile in the root folder of the downstream application (or Dart workspace) using anative_toolchain_rustbased library.I have a (hopefully self-explanatory) example below that can also be used for testing:
Note that (I think contrary to the implementation in Cargokit) the build will fail if a config file is present that for example points to an invalid URL. I found that to be more transparent for the user instead of (silently) falling back to building from source (I expect most users to not specify a custom logger).
Safety
The feature is completely opt-in and I still advised users to rely on building from source whenever possible, but as mentioned above there are circumstances where this is rather undesirable.
I contemplated letting users optionally specify a list of SHA256 hashes of which every downloaded binary per target must match exactly one, for improved safety, but for now decided against it, because it would be tedious for the users having to manually add them for every new version.
Testing
I added new tests and a dedicated example. I also updated the documented with a high-level explanation of the feature.
Please let me know what you think.