[bug#44492] [PATCH 01/52] gnu: Add rust-ruma-identifiers-validation-0.1.

[Nicolas Goaziou]

Leo Prikler <leo.prikler@student.tugraz.at> writes:

> I was afraid this would cause rebuilds for the existing package. Was
> that fear unfounded?

I don't think it would change anything. It is what we usually do in
"crates-io.scm".

> I personally disagree.  The only reason a crate failing to build is a
> "valid input" to another is because that other crate can decide to
> completely disregard it, which sounds neither "reliable" nor
> "efficient" for a programming language, that prides itself as both.

Probably, but the problem at hand is not to fix how Rust builds its
crates, but rather optimize Rust packaging.

> I will only skip builds for dead crates, i.e. crates I can reasonably
> assume to only contain dead code due to their build failures.  This
> does not seem to cost much when building dependant packages, as I've
> found that in order to actually build the crates I have to explicitly
> invoke `guix build <crate>`.

There's much more work involved. You have to take care of development
inputs which increases drastically the number of crates to package.
Moreover, you need to try building each of them, which takes time. Not
skipping builds makes de facto some packages impossible to package.

> Of course, there's still the problem of CI.  Long-term, I think we
> should find a way for this efficient programming language to reliably
> produce reusable build artifacts.  Short term, hitting non-leaf
> packages, that have cargo-build-system anywhere with a priority of
> negative infinity sounds like a better workaround.  I want to be able
> (as a developer) to explicitly build crates and determine where they
> fail.

As a packager, you don't need to build the crate to fix any issue
arising at a higher level, as I pointed out already. If you're
developing the crate, that's another story. But then, you can quickly
write your own package definition.

I think the real questions about building intermediate crates, from
a packager point of view, are:
- does that make the packages reproducible?
- does that make the packages more secure?
- does that make the packages easier to define?

>From my experience, the answer is "no" to any of these. This is a net
loss.

> I believe we should not cowtow to Rust and Cargo, but instead force
> them to adhere to our principles; principles of building applications
> *and* libraries reproducibly without encoding hashes in a huge ass-lock 
> file.

I don't think it is worth focusing of this. We currently do a good job
in Rust packaging, really. But it doesn't make much sense to have some
packages skipping builds and not some others.

What saddens me a bit is that individuals (including me, of course) are
currently doing as they see fit, but we haven't so far decided, as
a group, how to deal with the question uniformly. I hope we can converge
quickly.


Regards,