[Pkg-rust-maintainers] Directly bootstrapping arm architectures

Angus Lees gus at debian.org
Wed Jul 20 00:07:39 UTC 2016 

On Mon, 18 Jul 2016 at 11:55 Ximin Luo <infinity0 at debian.org> wrote:

> Angus Lees:
> >    - Install the required dependencies "somehow"
> >    - For Rust+arm this probably means installing the upstream pre-built
> >       compiler, as you've suggested.  For new architectures it will
> require a
> >       working cross-compiler (and LLVM support).
> >    - Use it to build rustc.deb
> >       - Possibly by hacking the build-deps to remove dependencies that
> >       can't be satisfied through the packaging system, but I think we
> have the
> >       right build profiles in place to make manual edits unnecessary.
> >    - Use the resulting rustc.deb (and other build-deps) to build a
> "clean"
> >    rustc.deb, with no build-profiles or manual debian/control hacks.
> >    - Upload the resulting clean rustc.deb (binary-only upload).
> >
>
> I roughly understand this approach, and AIUI we can reduce the first few
> steps (install deps "somehow", use it to build) to `dpkg-buildpackage -P
> dlstage0`. However I'm not convinced that the benefit of "not uploading a
> orig-dl.tar.gz" outweighs the loss of automation and reduced trust.
>
> With your approach, I have to do this on every new architecture, download
> all the results to the machine I have my keys on, debsign them then upload
> them. OTOH, I could do a single source-only upload directly from my machine
> with the orig-dl tarball, and the buildd network will do the rest all
> automatically.
>
> Also with the manual cycle-breaking, Debian will have to trust that (a) I
> didn't backdoor the first binary-only upload *as well as* that (b) Rust
> upstream didn't backdoor their releases (that I used to bootstrap my
> upload). With a orig-dl source-only upload, Debian only has to trust (b)
> and not (a, b).
>

Sure, and a cross-compile would obviously be better still (building only
from existing "trusted" Debian packages on an existing arch).

I disagree with your conclusion, but I think that's only because I'm
considering it more important to "do the normal thing" than you are.  You
can see why in the general case it would be infeasible to bundle up every
dependency required to break the circular build depdency in a pre-built
"orig-dl" tarball.  If you want to get the buildds to build the
intermediate rustc.deb (the "unclean" one in my steps above) by churning
orig-dl-tar.gz then I have no technical objection and you should go for
it.  It would be wonderful to see rustc.deb on more architectures :)

 - Gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-rust-maintainers/attachments/20160720/59583e0c/attachment-0001.html>

More information about the Pkg-rust-maintainers mailing list