[Pkg-rust-maintainers] Draft Rust packaging policy for review

Ximin Luo infinity0 at debian.org
Thu Dec 8 02:52:00 UTC 2016


Ximin Luo:
> Everything else looks reasonable so far, taking into account that I'm not very familiar with Cargo yet. Hopefully others can also comment, to confirm that there's nothing major missing.
> 

Oh, one thing that I forgot. Applications that are built out of crates will statically link in those crates, without needing a Depends: on them.

This will cause extra work for the security team, if a crate has a security vulnerability that must be patched in many packages.

We were discussing earlier in #debian-security what the best way is to make this sort of work easier. There is some precedence for adding Built-Using fields [1] to statically-linked binary packages, e.g. see the examples here:

https://wiki.debian.org/StaticLinking

and I had been doing this myself for some JS stuff that I helped with recently. But there were also people saying not to use this header, e.g.:

https://lists.debian.org/debian-haskell/2012/09/msg00037.html

Personally I think it's useful for this static-linking purpose.

An alternative is to detect it "automatically" by looking at the Build-Depends and assuming every crate-dev package will be statically linked into the resulting binaries. But then we still have to figure out what the versions were of those packages, that were used for the binary build. Our recent work on buildinfo files ([2], `man deb-buildinfo`) is able to supply this information, but it would be another download, and we haven't decided exactly how this would occur yet. So I think all-in-all the Built-Using option is simpler, at least for now.

X

[1] https://www.debian.org/doc/debian-policy/ch-relationships.html section 7.8
[2] https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git



More information about the Pkg-rust-maintainers mailing list