Holger Hoffstätte

Made progress on packaging #ntpd_rs by @trifectatech for @gentoo :
✅ proper hermetic Rust build
✅ cooked up OpenRC init scripts
✅ runs unprivileged as ntp:ntp
✅ operational #prometheus metrics exporter
✅ man pages

Still a few rough edges but getting there!
#chrony is currently still the better choice but alternatives are always good.

#ntp #rust #gentoo

Dec 1 at 10:40pmWeb
Show threadglynDec 2

@asynchronaut @trifectatech @gentoo How do you make a Rust build hermetic?

I found the following general references on hermetic builds:

https://slsa.dev/spec/v0.1/requirements#hermetic

https://bazel.build/basics/hermeticity

but only these for Rust:

https://github.com/rust-lang/cargo/issues/9506

https://hermetoproject.github.io/hermeto/cargo/

Requirements

Technical requirements to reach each level.

SLSA
Show threadHolger HoffstätteDec 2
@underlap So in the case of Gentoo our package manager uses a sandbox to restrict network/filesystem access when building packages. For Rust and Go we created tooling to create version-managed dependency tarballs, which are then unpacked & the contents injected into the build.
For plain Cargo there is offline mode, but you still need to download your dependencies or vendor evertything, which is very much frowned upon...at least by us.
Show threadHolger HoffstätteDec 2
@underlap I guess strictly speaking this is not "hermetic" since you can still inject Cargo flags for selecting e.g. build features, optimisation level or LTO, which I find useful.
Show threadglynDec 2
@asynchronaut Thanks! I agree that vendoring is an anti-pattern. It always used to make my flesh creep when I used it in Go.