Open mvasi90 opened 1 month ago
Well you can review the rustsite of the buildsystem in build.rs and the source code in embuild yourself. Github is run by microsoft and pulling esp-idf github repo is part of the process and that involves creating request against github. Also esp-idf heavily relight on python in it's cmake buildsystem and pull dependency's via pip. That all needs to be installed and managed somehow and potentially kept up to date. We try to make this process as friction-less as possible.
This friction-less setup might caught you off guard because you didn't review it yourself, but it helped countless people to even get a foothold into even starting this journey here. Keep in mind that this effort here is a community driven effort. We do it for the fun of it and if you want to influence or change something feel free to work on alternative means or create a PR improving documentation about it. If you need that for critical work stuff its your responsibility to keep things in order not the responsibility of some other folks on the internet.
Though in all earnestie i ask you the following question. Why are you ok with crates.io and not ok with pulling stuff from pypy via pip or pulling a git repo from github? I mean i understand that you may not expected that other services besides crates.io are involved, if you aren't aware how esp-idf works. But the argument to allow one but not the other fells of a bit short.
If that is not your cup of tea that is absolutely fine. There are a lot of ways to handle using esp-idf-sys even in an offline context. Though they require to learn more about the system and not just relight on others to do the heavy lifting, and some manual work.
So feel free disagree with what i said, though one point i want to clarify, if you are somewhat serious, before asking open-ended "rhetorical" questions about if Microsoft should be "aware" of what we are doing, consider reviewing the buildsystem as mention and feel free to drop a question, in the linked matrix channel, if you don't understand how a particular thing works.
Why are you ok with crates.io and not ok with pulling stuff from pypy via pip or pulling a git repo from github?
Because crates.io is only used once when downloading the libraries. Not in each compilation (cargo build
), much less in each execution (cargo run
), much less in the development of the software.
It is absurd that every time I open the IDE to program, it is accessing the internet to see updates, and if it doesn't have internet access it doesn't allow me to program. I decide when I change the version of each library. And that is when I start cargo build
to update.
Like crates.io we also have github.com and many other domains/subomains/IPs. But we don't tolerate internet access while we are programming.
I don't know your understanding of security and privacy, but free access to the internet should not exist if you want to maintain a secure environment.
There are a lot of ways to handle using esp-idf-sys even in an offline context. Though they require to learn more about the system and not just relight on others to do the heavy lifting, and some manual work.
Yes, we will have to investigate further the functionality of esp in rust. That requires more time and dedication to things outside of development, simply because esp in rust is designed to work online right out of the box.
Our systems (archlinux/gentoo) only have internet for certain applications/actions to their corresponding domains/subdomains and IP addresses.
The default policies drop both inbound, outbound and forwarding packets. (This should be the case for any enterprise and home computer to improve privacy and security).
We have been developing software in Rust for a long time and we understand that downloading libraries requires internet access. In such a case, access is allowed only to the
cargo build
instance and only to the domains and subdomainsindex.crates.io crates.io crates.io static.crates.io
.We are now creating projects in ESP32 (Xiao) and have encountered serious problems that prevent us from working securely and privately.
Neovim
(as developing IDE) does not work.Software development should certainly be offline.
It tries to connect to github (Microsoft), pypi.org, etc.
Cargo
run
(andespflash flash --monitor target/riscv32imac-esp-espidf/debug/...
) does not work offline:Stuks here. And the network log is:
Whenever we are developing something on our device, should Microsoft be aware of it? Every time we are uploading a binary already compiled on our local device, should external servers know our IP address and other sensitive information?
Please fix that.