From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E1EA815813A for ; Mon, 13 Jan 2025 13:36:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D85BAE081A; Mon, 13 Jan 2025 13:36:19 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D3A45E0802 for ; Mon, 13 Jan 2025 13:36:18 +0000 (UTC) Message-ID: <5da5fd440acbae19aba855f284d58978b2aa97d6.camel@gentoo.org> Subject: Re: [gentoo-dev] [PATCH] cargo.eclass: Emit a warning if the package uses 300+ crates From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Mon, 13 Jan 2025 14:36:13 +0100 In-Reply-To: <8e3840b5-acc5-43ff-908f-660baae13163@gentoo.org> References: <20250112125639.15047-1-mgorny@gentoo.org> <8e3840b5-acc5-43ff-908f-660baae13163@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-jfeVrokjHi+8x4DQpUd7" User-Agent: Evolution 3.52.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 0cc81f43-e1a3-4d23-84fc-07f63a72fa3a X-Archives-Hash: 52a69dbbe8ae3ea2c4e675d51830e3b6 --=-jfeVrokjHi+8x4DQpUd7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2025-01-13 at 10:40 +0100, Florian Schmaus wrote: > First, switching from individual crates to a single crate tarball=20 > disallows inter-package crate archive reuse. Often, users will already= =20 > have the required crates downloaded because another installed package=20 > used them. With an artificial create count limit, users must download=20 > rather large crate tarballs, causing unnecessary traffic and increasing= =20 > the disk space on Gentoo's mirrors and end-user systems. The crate=20 > tarballs quickly eat away the saved disk space in the ebuild repository. I'm sure you've also done a thorough analysis on how much crate reuse actually happens, as well as of the impact of adding thousands of tiny files to Gentoo mirrors, the inefficiency of fetching them one by one, and especially how badly crates.io actually handles that. I'm also sure you've done a thorough analysis of actual disk space use, that also takes into consideration the space wasted by thousands of tiny, inefficiently compressed files, compared to crate tarballs that benefit both from much stronger compression algorithm, as well as the opportunity to process much larger data blocks. > Even worse, crate tarballs negatively impact the security of Gentoo=20 > users as they make it harder to audit ebuilds, and third-party crate=20 > tarballs add a further distinct party that can inject malicious code.=20 > Considering the recent supply chain attacks, this alone is a show-stopper= . `cargo audit` does not care about how crates are delivered to Gentoo systems. > Why is this warning suddenly necessary? Did a user run into an issue=20 > caused by more than 300 entries? It is not "sudden". It is an ongoing effort. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-jfeVrokjHi+8x4DQpUd7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmeFFs0SHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQO/qgIAMMzkcWJkUR02j90fXU4WHDXMdfRjx8W 1H0yBGJwbafBij5aUsnuzuD1fHlX4Laid3V8CTi4dQc8fwof9WtJARRmQyJJICIq CmL9ELY4pqz3eXJdj7l/7ZPe8FNEYCX9NmIJykMN7UHSDlV0CWoy/QOPzBq1chfr 2tP1M6P5Pat531Iuh09JqRWF4MyOSyReyuqvF0AAyIWcBAGODuLmcXy5Sct6blmq o5DBgv4Ap6v0TSdgBUQ46N96XUE2fypj58DagTfANmwS3+hTRlkw+N/sWaC6L8Tn 00PBwGnpYuYbSegxQ3ZSEQROfpco1NBhhP5GPnhwsxBcWZ2zcw+fVbM= =lkRn -----END PGP SIGNATURE----- --=-jfeVrokjHi+8x4DQpUd7--