cargo-bins / cargo-binstall

Binary installation for rust projects
GNU General Public License v3.0
1.59k stars 56 forks source link

Use `cargo-auditable` to build the final release artifacts #627

Closed NobodyXu closed 1 year ago

NobodyXu commented 1 year ago

Use cargo-auditable to build the final release artifacts so that it contains all the dependencies used and is auditable.

Related:

https://github.com/cross-rs/cross/issues/1172 https://github.com/rust-secure-code/cargo-auditable/issues/95

Ktoks commented 1 year ago

Recently upon running cargo binstall cargo-udeps- the command cargo +nightly udeps fails due to the expected libssl.so.1.1 version being outdated. Had to cargo install cargo-udeps --force after to fix.

NobodyXu commented 1 year ago

Recently upon running cargo binstall cargo-udeps- the command cargo +nightly udeps fails due to the expected libssl.so.1.1 version being outdated. Had to cargo install cargo-udeps --force after to fix.

@Ktoks I've opened a new issue for this #648

Ktoks commented 1 year ago

Thank you.

passcod commented 1 year ago

Should also consider using https://github.com/kinnison/git-testament

NobodyXu commented 1 year ago

@passcod Maybe we can introduce a --verbose/-v flag that when specified with -V, caused the commit and more information to be printed?

passcod commented 1 year ago

Yeah I've made bosion for this for watchexec, but it's currently a little dependency heavy...

NobodyXu commented 1 year ago

Yeah I've made bosion for this for watchexec, but it's currently a little dependency heavy...

Oh well, having to pull in gix is indeed way too heavy. Can we make gix an optional feature and fallback to running external cmd git if gix is not enabled?

passcod commented 1 year ago

I'd rather figure out a different way to read the git info in pure rust, if possible, though a fallback wouldn't go amiss.

NobodyXu commented 1 year ago

This is currently blocked on https://github.com/watchexec/watchexec/pull/615 since bosion currently uses old gix version while cargo-binstall uses gix 0.47

NobodyXu commented 1 year ago

I've submit https://github.com/watchexec/watchexec/pull/619 for updating gix to v0.47

NobodyXu commented 1 year ago

I just realized that if we run cargo-install, then bosion will fail to find a git repository.

NobodyXu commented 1 year ago

vergen supports several features to select git impl from git cli, git2 and gix and can disable git.

We can check .git in our build script and run git --version to decide whether to disable git .

NobodyXu commented 1 year ago

While binstall already uses gitoxide, we still can't reuse that in build-dep due to different profiles used. In profile.release, we set abort-on-panic, which cannot be enabled in build-dep.

repi commented 1 year ago

1182 did not implemented cargo-auditable support right? looks like that PR closed the wrong issue?

NobodyXu commented 1 year ago

1182 did not implemented cargo-auditable support right? looks like that PR closed the wrong issue?

Well it's actually implemented much earlier than that (before v1.0.0) and this issue is now used to track for verbose version.

repi commented 1 year ago

ah! cool thx