Reproducible binary package built from source

[xxuejie]

First of all, really nice project!

Please correct me if I am wrong, it occurs to me that right now guix-rustup works by downloading pre-built binaries from static.rust-lang.org. While this indeed is a path that suits many, I was wondering if it is possible to go one step further, and support compiling rust packages from source.

Of course this would require the pre-built binaries from static.rust-lang.org to be reproducible(or maybe it's worthwhile to add another source?), we will have to look into this. I would first want to check if such thing is of interest to you, if so, we are happy to help and collaborate.

[declantsien]

Yes, guix-rustup works by downloading pre-built binaries from static.rust-lang.org

support compiling rust packages from source

Not sure what do you mean by this. Do you mean compiling rustc/cargo etc from source?

or maybe it's worthwhile to add another source?

What do you mean by another source here?

[xxuejie]

Yes, I mean the ability to compile rustc / cargo from source. If we look at guix's own rust package, one can either download the binaries directly, or compile from rust's source code into the binary.

This extra compile-from-source way, allows one to verify that the final binary installed indeed comes from a particular set of source code, which enhances the overall security of the system.

For this compile-from-source solution to work perfectly, it is necessary to make a package reproducible, meaning anyone can start the compilation process anywhere at anytime, the compilation process will always generate the same binary from the same source code.

We rely on this reproducible feature, and the ability to compile rust compiler from source code very much in our workflow, and we love to help with this feature if it sounds great to you.

By another source, I mean something like this: it is unknown if the binaries at static.rust-lang.org are reproducible, or is it a priority. We definitely can reach out to the rust team, see if reproducible binaries are a priority to them. If the answer is yes, then everything will be great, but if not, we are interested in providing an alternative rustup dist server, much like this, but all the binaries in our dist server will be compiled in a reproducible manner, so everyone can replicate the same process verifying that the binaries are indeed valid(much like guix's other packages). And for the most adventurous minds, they can always compile rustc/cargo directly from source, without using any dist server.

Let me know what you think of this.

[declantsien]

I see. I like the idea.

You may want to read Bootstrappable bitcoin release builds with Guix .

but if not, we are interested in providing an alternative rustup dist server, much like this, but all the binaries in our dist server will be compiled in a reproducible manner, so everyone can replicate the same process verifying that the binaries are indeed valid(much like guix's other packages).

That's very generous of you. Guix community would appreciate that.

You can reach to Guix rust-team first. They have more knowledge to bootstrap Rust in Guix.

[xxuejie]

Yeah Bitcoin is definitely an original inspiration, and also what drove us to guix.

Will definitely reach out to guix rust-team and others, thanks! Will follow-up here once we have more to share.