Hi Sebastien, Given that Cargo is so much less secure than Go (no equivalent of a module proxy), it might be safer to let the Rust project be the "lead" or "top level" project, and have the Rust build script; these
https://doc.rust-lang.org/stable/cargo/reference/build-scripts.html pull in any Go dependencies. Otherwise automatic Rust invocation from a Go package install would appear/seem to be introducing alot of security issues for Go packages, right? As least that how it appears at the moment... but I've only been learning Rust for a week, so I have pretty limited perspective. Jason On Wednesday, October 29, 2025 at 9:14:36 AM UTC Sebastien Binet wrote: hi there, Right now, wrapping C, C++ and Fortran code is somewhat easy: just slam some .c, .cxx or .f files within your Go module and the go command will pick them up and compile those as part of the final binary. This allowed "go-get"-ability for, e.g., mattn/go-sqlite3. It doesn't seem like the same thing is possible for Rust code. Right now, the perhaps "easiest" thing is to ship the compiled Rust code (.a, .so or .syso) with your Go project, but you get all the complications with shipping possibly large binaries with your VCS (`cmd/go` and proxy/sumdb support for Git-LFS is a bit sketchy). Am I the only one who wants to wrap Rust code ? Are there enough people who'd like to do just that to warrant some kind of support from the Go ecosystem ? Also, if we were to add support for Rust, do we use rustc as a compilation vehicle or Cargo ? (the latter might open a rather big can of worms with its ability to execute arbitrary code via the 'build.rs' file, but... Cargo is now *the way* to build Rust code, AFAICT) WDYT ? cheers, -s -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/cbb05218-556c-4295-8f0c-15ee48bd0d42n%40googlegroups.com.
