On Thu, 2023-02-23 at 01:27 +0000, Micah Snyder (micasnyd) via clamav-
users wrote:
> Hi Scott, Michael, Orion,
>
> You make some good points. In particular as Linux/Unix distributions
> are still learning how to package Rust software.
>
It's not a matter of knowing how to package rust. It's just another
compiled language. But it's new, and...
* Currently at the peak of its fad language phase.
* Unstable; has no specification, breaking changes in every release.
* Mainly used by people who want to write rust for the sake of
writing rust, rather than for writing and maintaining programs
that solve real problems.
* Comes with a NIH build system that only works with rust code.
* Has its own package manager that encourages you to pin specific
versions and bundle them into your package.
* Has its own code hosting platform that bypasses our supply-chain
security.
* Doesn't work on the platforms we support.
So: it's a matter of maturity. There's simply no way to package it
right now that meets the quality standards that we've set for ourselves
and for our users. It will be many years (if ever) before there's a
rust specification, and before the fad chasers have moved on and we're
left with people doing actual software engineering.
Or, it could never happen. I wrote a lot of things in Haskell, which
does everything rust does but better and did it decades earlier. Ask me
how that's going.
The problem isn't specific to rust. You only hear about it with rust
because a few high-profile projects (Firefox, ClamAV, librsvg, python
cryptography, etc.) have added bits of rust into their non-rust
codebases *after* becoming popular. Faced with the prospect of deleting
those packages and everything that depends on them, distros were
instead forced to compromise a few principles. But rust isn't really to
blame; the same problem would arise if you tried to add a few lines of
Zig code to a popular C++ package. Luckily with most other languages no
one has been crazy enough to do it [0].
> I'm certain there have been discussions along how to
> package/distribute Rust itself within each distro. I am a fan of the
> approach that OpenSUSE has taken: https://en.opensuse.org/Rust I hope
> that some of the other distributions adopt a similar strategy.
Despite the page title, they're not packaging it in the usual sense.
They're shipping you a giant executable that never gets security
updates. (It's the same with rust on Gentoo and every other distro.)
That's how Windows software is "packaged," and it's just not good
enough -- especially for a network-facing daemon whose job is to be fed
malicious code.
[0] Patiently awaiting the day I don't need Ruby to build webkit.
Remember that week when Ruby was cool?
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
