Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
kibwen 2 days ago

> That rustup itself could be in repos and still work

So surely you acknowledge that rustup not being in any given distro's repo isn't something that the Rust developers have control over? How do you expect the Rust devs to distribute the compiler? If you want to build from source, that's extremely easy. For people who want convenient binaries, Rust also offers binaries via the most convenient means available, which is curl-to-bash. This isn't a security flaw any more than running the compiler itself is.

veber-alex 2 days ago | parent | next [-]

rustup is available on plenty of distros now, and it's on homebrew in macOS.

The Rust docs should really offer installation methods other than curl | sh. Not from a security standpoint (I think that's nonsense) but I just don't like polluting my system with random stuff that is not managed by a package manager.

Edit: Yes, there is an "other installation methods" link, but the text makes it sound like it is only applicable for Windows.

shadowgovt 2 days ago | parent | prev | next [-]

This is probably the key idea in this specific context: the tool you're downloading is a compiler. If you don't trust the bash script hosted by the compiler's creators (assuming you're properly certificate-checking the curl connection and not bypassing TLS), why would you trust the compiler binary it's trying to install?

superkuh 2 days ago | parent [-]

I trust Debian to vet and package things in a way that won't break my desktop. I don't trust the Rust organization because their goals are very different.

mustache_kimono 2 days ago | parent | next [-]

> I trust Debian to vet and package things in a way that won't break my desktop.

Um, has there been some instance where rustup broke a desktop? And I'm assuming Debian has actually delivered on this worst case scenario?

shadowgovt 2 days ago | parent [-]

Debian's done a pretty good job here. If you run unstable you'll get up to Rust 1.85 (whereas the project home will get you 1.88).

Of course, it's Debian; stable is alllll the way back on 1.63, state of the art in 2022.

mustache_kimono 2 days ago | parent [-]

> Debian's done a pretty good job here.

I meant I bet Debian has broke desktops with a simple `apt update`. Whereas show me where rustup has broken a desktop?

shadowgovt 2 days ago | parent | prev [-]

I'm not sure how that's relevant for rust. I'm trying to think of a way they could distribute the rust toolchain that would break your desktop; does your desktop have a native rust install that other pieces of the distro are relying on to have a particular configuration (like the gcc most distros ship with) that a curl | bash installed toolchain would interfere with?

superkuh 2 days ago | parent | prev [-]

>you acknowledge that rustup not being in any given distro's repo isn't something that the Rust developers have control over

The lack is a consequence of the type of language rust developers chose to be. One that is constantly, rapidly (over just a few months) changing itself in forwards incompatible ways. Other languages don't really have this problem. Even c++ you only have breaking changes every 3-4 years which can be handled by repos. But 3 months old rustc in $distro repos is already fairly useless. Not because rust is a bad language, but because the types of people that write in rust are all bleeding edge early adopters and always use $latest when writing. In another decade or so when the rust developer demographics even out a bit it will probably be okay.