[tor-bugs] #31588 [Applications/Tor Browser]: Be smarter about vendoring for Rust projects

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 15 13:16:22 UTC 2019 

#31588: Be smarter about vendoring for Rust projects
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  task                      |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-rbm                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by gk):

 Replying to [comment:4 boklm]:
 > Replying to [comment:3 gk]:
 > > Replying to [comment:2 boklm]:
 > > > If Mozilla is vendoring most of the rust dependencies we need, I
 think we could generate a tarball from `tor-browser.git/third_party/rust`,
 and include it in the `cbindgen` project, and in other rust projects that
 we build. That way we don't need to manually update a tarball of vendored
 projects.
 > > >
 > > > If we want to avoid generating a new tarball (which will probably
 involve generating a tarball containing all the firefox tree, extracting
 it, and generating a new tarball from the `third_party/rust` directory
 only), we can re-use the `src-firefox-$version.tar.xz` tarball which we
 already generate.
 > >
 > > Yeah, I've thought about that. The problem here is, though, those the
 projects in question are external ones which are *not* needed to build
 Mozilla's Rust code. Thus, Mozilla has not vendored them in but has them
 rather as a build dependency. For `cbindgen` we could think about using
 Debian packages at least once we move don't have versions anymore where
 `cbindgen` is not shipped for in a sufficiently recent version. For
 `lucetc` this option is not available.
 >
 > Hmm, I don't understand what you mean here. When I look at the content
 of `cbindgen-vendor.tar.bz2`, all the directories included in it are also
 present in `tor-browser.git/third_party/rust`. Or are you talking about
 other projects than cbindgen?

 I am talking right now about `cbindgen` and `lucetc`. But the specific
 `third_party/rust` part I had in mind is only applying to the former.

 Yes, the packages are there but not all the versions are the same as
 `cargo vendor` gives us. This, the risk is high that either compilation
 fails or some other weird behavior would happen. If the packages available
 *and* the versions they are in matched, I agree, using the code from
 `third_party/rust` would work. But, alas, that's not the case.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31588#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list