<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Le 20/07/2016 à 02:07, Angus Lees a
écrit :<br>
</div>
<blockquote
cite="mid:CAPA_H3f6ZreGrvP03KrWuLCdxqtkpH+e6txFH8-06CsYJZA5xg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Mon, 18 Jul 2016 at 11:55 Ximin Luo <<a
moz-do-not-send="true" href="mailto:infinity0@debian.org">infinity0@debian.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Angus
Lees:<br>
> - Install the required dependencies "somehow"<br>
> - For Rust+arm this probably means installing the
upstream pre-built<br>
> compiler, as you've suggested. For new
architectures it will require a<br>
> working cross-compiler (and LLVM support).<br>
> - Use it to build rustc.deb<br>
> - Possibly by hacking the build-deps to remove
dependencies that<br>
> can't be satisfied through the packaging system,
but I think we have the<br>
> right build profiles in place to make manual
edits unnecessary.<br>
> - Use the resulting rustc.deb (and other build-deps)
to build a "clean"<br>
> rustc.deb, with no build-profiles or manual
debian/control hacks.<br>
> - Upload the resulting clean rustc.deb (binary-only
upload).<br>
><br>
<br>
I roughly understand this approach, and AIUI we can reduce
the first few steps (install deps "somehow", use it to
build) to `dpkg-buildpackage -P dlstage0`. However I'm not
convinced that the benefit of "not uploading a
orig-dl.tar.gz" outweighs the loss of automation and reduced
trust.<br>
<br>
With your approach, I have to do this on every new
architecture, download all the results to the machine I have
my keys on, debsign them then upload them. OTOH, I could do
a single source-only upload directly from my machine with
the orig-dl tarball, and the buildd network will do the rest
all automatically.<br>
<br>
Also with the manual cycle-breaking, Debian will have to
trust that (a) I didn't backdoor the first binary-only
upload *as well as* that (b) Rust upstream didn't backdoor
their releases (that I used to bootstrap my upload). With a
orig-dl source-only upload, Debian only has to trust (b) and
not (a, b).<br>
</blockquote>
<div><br>
</div>
<div>Sure, and a cross-compile would obviously be better still
(building only from existing "trusted" Debian packages on an
existing arch).</div>
<div><br>
</div>
<div>I disagree with your conclusion, but I think that's only
because I'm considering it more important to "do the normal
thing" than you are. You can see why in the general case it
would be infeasible to bundle up every dependency required
to break the circular build depdency in a pre-built
"orig-dl" tarball. If you want to get the buildds to build
the intermediate rustc.deb (the "unclean" one in my steps
above) by churning orig-dl-tar.gz then I have no technical
objection and you should go for it. It would be wonderful
to see rustc.deb on more architectures :)</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</blockquote>
This would be amazing to have it on all archs.<br>
<br>
I don't have any issue using orig-dl to bootstrap an arch. However,
this limits us on the arch supported by upstream.<br>
I don't think they are going to support as many archs as LLVM...<br>
<br>
Therefor, a cross-compile approach would probably be better for the
future of rust in Debian.<br>
<br>
Sylvestre<br>
</body>
</html>