search

facebook / dotslash

Simplified executable deployment
https://dotslash-cli.com
Apache License 2.0
535 stars 14 forks source link

Support .tar.xz archives #12

Closed abhinav closed 4 months ago

abhinav commented 4 months ago

Some projecst are only available as .tar.xz archives. For example, Zig releases for Linux and macOS are only available as .tar.xz archives.

This PR adds support to dotslash for .tar.xz archives, using the xz2 crate to provide the functionality. The xz2 create wraps the liblzma library.

In this change, the library is linked statically, so that the resulting binary does not depend on the liblzma library being installed on the system.

File size impact:

❯ uname -s
Darwin

❯ git checkout main
❯ cargo build --release
❯ wc -c target/release/dotslash
  985208 target/release/dotslash

❯ git checkout tarxz
❯ cargo build --release
❯ wc -c target/release/dotslash
 1052776 target/release/dotslash

This increases the binary size by 67,568 bytes on macOS. It comes down to 16,704 if we use dynamic linking. For now, I've chosen to use static linking.

Licensing concerns:

Per xz/COPYING,

liblzma is in the public domain.

So it should be safe to link statically or dynamically from a licensing point of view.

Testing: We'll need to update https://github.com/zertosh/dotslash_fixtures to generate a .tar.xz archive as well to be able to add a fixture for it.

Resolves #10

facebook-github-bot commented 4 months ago

Hi @abhinav!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

facebook-github-bot commented 4 months ago

@dtolnay has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

bolinfest commented 4 months ago

With respect to licensing, I'm a bit confused because the COPYING file you link to mentions "public domain" and GPL but https://crates.io/crates/xz2 says Apache/MIT? (On mobile, maybe I misread.)

abhinav commented 4 months ago

Sorry, you're right I didn't clarify which license I was talking about. The Rust crate xz2 is Apache-2.0/MIT licensed, yes. Same for the Rust crate lzma-sys that it builds upon. However, lzma-sys wraps the C library xz, which has:

I was only referring to liblzma, which in hindsight was confusing.

facebook-github-bot commented 4 months ago

@dtolnay merged this pull request in facebook/dotslash@771abea2f5b0a14f21de7e2018e9bdc2c7f579f1.

bolinfest commented 3 months ago

I assume this is also affected by https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/

/cc @dtolnay