I mean, that’s not a Rust issue per se. It’s only noticeable because cargo is much better than most build systems, and hence is an actual option for distribution of software. But there should ideally always be a binary distribution. I know some people like to build everything by themselves, but I get it, it’s annoying.
For people who do this, is the purpose to ensure you are not getting a bad binary which has some malicious code compiled in?
If yes, isn’t it more difficult to check all the source code yourself? You may as well trust a binary where the author has confirmed a hash of the binary. Unless you really are checking every single line of source code. But then I wonder how you get anything else done.
The incident from xz gives a good example of where self-compiling stuff would be a good idea.
The code was mostly fine, but the maintainer managed to include malicious instructions in the binary. Most people who read the source, didn’t realise the possibility. I checked it out afterwards and it was still hard to get.
The idea is that someone is checking the code. And by building it yourself, you can at least ensure that you’re getting what’s built from the code. It is possible that some malicious stuff was inserted while building the binary that doesn’t show up in the source code. Building from source solves that problem.
Reproducible builds try to solve that problem by generating some provenance from a third party. A middle ground can be building the binary using something like GitHub Actions, since that can be audited by others. That comes with its own can of worms since GH is owned by M$, but I digress.
So it is technically sane to do it, just not very practical in my view. But for lesser known apps, I do sometimes build from source.
Yeah, the good tooling also means it isn’t even terribly difficult for the dev to provide builds, but it isn’t quite as automated as publishing to crates.io, so many don’t bother with automating or manually uploading…
Pypi isn’t in any way less an option for distributing software countless projects that use it that way can be used as a proof. Hell, awscli installed from pypi for ages. In my experience cargo is extremely slow at downloading hundred libraries that every program needs and rustc is extremely slowly builds them.
Correction, uv isn’t in any way less an option. pypi is only the registry. If you are using pip you will end up in dependency hell, you might use something like poetry to avoid that, but uv is just better.
But… wait a minute… uv is inspired by cargo, and it’s also written in rust. That’s quite the coincidence, huh?
Also, cargo is fast, it’s rustc that’s slow, and that’s because rustc is doing advanced code analysis. Compiling rust is actually NP-hard, but in exchange for that, the compiler will catch bugs in place of the developer. Which is a good tradeoff considering that you only compile once and run many times.
“countless projects that use it that way” isn’t proof of anything. Countless projects tell you to curl a 2000 lines script into sudo bash that will fill your os with bullshit.
Pip is a sane default that works for absolute majority of cases, anyway correct tool for installing programs from pypi is pipx that eliminates ‘dependency hell’, but ofc new cool tool is the only way to do things.
When little program in rust that replaced previous one compiles two hours compared to previous that compiled in a few minutes it matters.
None of the issues you’ve described are Cargo’s fault. The long compilation time is simply rustc’s compile-time checks (ensuring type and memory safety is much more involved than lexing in GCC), and the number of dependencies to compile is a result of the crate ecosystem. Cargo is just the front-end that automates fetching dependencies and compilation with rustc. Blaming it for slow compilation is like hitting your monitor when the computer is acting up.
I’m not blaming cargo specifically for building it is slow to download deps as well, which was clearly stated in my first post. I’m going to edit it now.
The Rust compiler is more sophisticated than most compilers, so it can be slower at the same kind of tasks. But it also just does a different task here.
One of the tradeoffs in Rust’s design is that libraries get compiled specifically for a concrete application. So, whereas in most programming languages, you just download pre-compiled libraries, in Rust, you actually download their source code and compile all of it on your machine.
This isn’t relevant, if you get a pre-built binary. And it’s not particularly relevant during development either, because you get incremental compilation. But yeah, if someone wants to compile a Rust codebase from scratch, then they have to sit through a long build.
I mean, that’s not a Rust issue per se. It’s only noticeable because
cargois much better than most build systems, and hence is an actual option for distribution of software. But there should ideally always be a binary distribution. I know some people like to build everything by themselves, but I get it, it’s annoying.cargo install xyzandapt install xyzaren’t mutually exclusive.For people who do this, is the purpose to ensure you are not getting a bad binary which has some malicious code compiled in?
If yes, isn’t it more difficult to check all the source code yourself? You may as well trust a binary where the author has confirmed a hash of the binary. Unless you really are checking every single line of source code. But then I wonder how you get anything else done.
The incident from
xzgives a good example of where self-compiling stuff would be a good idea.The code was mostly fine, but the maintainer managed to include malicious instructions in the binary. Most people who read the source, didn’t realise the possibility. I checked it out afterwards and it was still hard to get.
The idea is that someone is checking the code. And by building it yourself, you can at least ensure that you’re getting what’s built from the code. It is possible that some malicious stuff was inserted while building the binary that doesn’t show up in the source code. Building from source solves that problem.
Reproducible builds try to solve that problem by generating some provenance from a third party. A middle ground can be building the binary using something like GitHub Actions, since that can be audited by others. That comes with its own can of worms since GH is owned by M$, but I digress.
So it is technically sane to do it, just not very practical in my view. But for lesser known apps, I do sometimes build from source.
Yeah, the good tooling also means it isn’t even terribly difficult for the dev to provide builds, but it isn’t quite as automated as publishing to crates.io, so many don’t bother with automating or manually uploading…
Pypi isn’t in any way less an option for distributing software countless projects that use it that way can be used as a proof. Hell, awscli installed from pypi for ages. In my experience cargo is extremely slow at downloading hundred libraries that every program needs and rustc is extremely slowly builds them.
Correction, uv isn’t in any way less an option. pypi is only the registry. If you are using pip you will end up in dependency hell, you might use something like poetry to avoid that, but uv is just better.
But… wait a minute… uv is inspired by cargo, and it’s also written in rust. That’s quite the coincidence, huh?
Also, cargo is fast, it’s rustc that’s slow, and that’s because rustc is doing advanced code analysis. Compiling rust is actually NP-hard, but in exchange for that, the compiler will catch bugs in place of the developer. Which is a good tradeoff considering that you only compile once and run many times.
“countless projects that use it that way” isn’t proof of anything. Countless projects tell you to
curla 2000 lines script intosudo bashthat will fill your os with bullshit.Pip is a sane default that works for absolute majority of cases, anyway correct tool for installing programs from pypi is pipx that eliminates ‘dependency hell’, but ofc new cool tool is the only way to do things.
When little program in rust that replaced previous one compiles two hours compared to previous that compiled in a few minutes it matters.
None of the issues you’ve described are Cargo’s fault. The long compilation time is simply rustc’s compile-time checks (ensuring type and memory safety is much more involved than lexing in GCC), and the number of dependencies to compile is a result of the crate ecosystem. Cargo is just the front-end that automates fetching dependencies and compilation with rustc. Blaming it for slow compilation is like hitting your monitor when the computer is acting up.
I’m not blaming cargo specifically for building it is slow to download deps as well, which was clearly stated in my first post. I’m going to edit it now.
The Rust compiler is more sophisticated than most compilers, so it can be slower at the same kind of tasks. But it also just does a different task here.
One of the tradeoffs in Rust’s design is that libraries get compiled specifically for a concrete application. So, whereas in most programming languages, you just download pre-compiled libraries, in Rust, you actually download their source code and compile all of it on your machine.
This isn’t relevant, if you get a pre-built binary. And it’s not particularly relevant during development either, because you get incremental compilation. But yeah, if someone wants to compile a Rust codebase from scratch, then they have to sit through a long build.