aeva2d ago

#gentoo question for all you beautiful intelligent #gentoo mains out there: is installing rust packages via portage pointless? I installed media-sound/wiremix thinking ooo no new dependencies and it installed a zillion "crates" out of band. or is that probably why the package is masked currently?

EDIT: winning answer: that is normal, but portage will update it at least (among other things)

Show threadV2d ago
@aeva Yeah, it's a hazard of compiling anything written in rust from source, I had to sit through the same process on slackware for an RSS reader. At least portage handling it for you makes maintaining the giant pile of crates rust drags along with it simple.
Show threadaeva2d ago
@miss_rodent i've been having so much fun seeing what each new thing I install wants, and it's really sucks the fun out when something is like trust me bro don't look
Show threadV2d ago
@aeva Yeah, honestly it's one of the things I really dislike about rust (and most languages that have their own special library package management nonsense), it makes it really hard to judge how long a build will take, and what sort of mess it's about to make in your filesystem if you run it and step away until it's done -.-;;;
Show threadaeva2d ago
@miss_rodent it also makes me wondering if the author is vetting anything either. it would be hilarious if this ended up being a horrific supply chain attack vector
Show threadV2d ago
@aeva presumably they just use cargo, which... pulls from community package repositories, the offical repository is https://crates.io/ but I think it can grab from github crates and such too... so, a supply chain attack is entirely plausible.
crates.io: Rust Package Registry

crates.io serves as a central registry for sharing crates, which are packages or libraries written in Rust that you can use to enhance your projects

Show threadV2d ago
@aeva but iirc you need to add unofficial registries to a config file, so, it probably only grabbed from crates.io.
Which.... maybe they're verified? No idea. How much do you trust the rust team, I guess.
Show threadV
@aeva Coming from a Slackware user of nearly two decades - I realllyyyy hate this aspect of rust.
I run a distro where *I* am the dependancy-resolution part of package management for a reason. If I want a package manager that does it for me, I can just use debian. I don't need (or want) an extra package manager to babysit.
Apr 7 at 6:11amWeb