[Pkg-rust-maintainers] Directly bootstrapping arm architectures

[Ximin Luo]

Angus Lees:
>    - Install the required dependencies "somehow"
>    - For Rust+arm this probably means installing the upstream pre-built
>       compiler, as you've suggested.  For new architectures it will require a
>       working cross-compiler (and LLVM support).
>    - Use it to build rustc.deb
>       - Possibly by hacking the build-deps to remove dependencies that
>       can't be satisfied through the packaging system, but I think we have the
>       right build profiles in place to make manual edits unnecessary.
>    - Use the resulting rustc.deb (and other build-deps) to build a "clean"
>    rustc.deb, with no build-profiles or manual debian/control hacks.
>    - Upload the resulting clean rustc.deb (binary-only upload).
> 

I roughly understand this approach, and AIUI we can reduce the first few steps (install deps "somehow", use it to build) to `dpkg-buildpackage -P dlstage0`. However I'm not convinced that the benefit of "not uploading a orig-dl.tar.gz" outweighs the loss of automation and reduced trust.

With your approach, I have to do this on every new architecture, download all the results to the machine I have my keys on, debsign them then upload them. OTOH, I could do a single source-only upload directly from my machine with the orig-dl tarball, and the buildd network will do the rest all automatically.

Also with the manual cycle-breaking, Debian will have to trust that (a) I didn't backdoor the first binary-only upload *as well as* that (b) Rust upstream didn't backdoor their releases (that I used to bootstrap my upload). With a orig-dl source-only upload, Debian only has to trust (b) and not (a, b).

X

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git