-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Building rust 1.81.0 does network access in the "build" phase #130708
Comments
Duplicate of #130099. tl;dr: While building the new source tarball as part of the build process, we try to vendor all dependencies even if they have already been vendored. Previously the resulting error when offline would be accidentally ignored, but due to a refactoring of the build system it no longer gets ignored, instead aborting the entire build. As solution try backporting #130110 and set |
duplicate thus |
Duplicate of #130099.
tl;dr: While building the new source tarball as part of the
build process, we try to vendor all dependencies even if they
have already been vendored. Previously the resulting error when
offline would be accidentally ignored, but due to a refactoring
of the build system it no longer gets ignored, instead aborting
the entire build.
I find that a little strange. I would instead have expected that
the tarball was entirely self-contained, and required no further
verification or updating, especially not during the build phase.
As solution try backporting
#130110 and set
`dist.vendor = false` in `config.toml`. (I think `--set
dist.vendor=false` would work if you use `./configure` instead
of manually creating `config.toml`.)
Thanks, did that, and it works, and I can disable the workaround
in the package again.
|
I tried to package rust 1.81.0 for pkgsrc-wip, and while trying to do a native build on NetBSD/amd64, I get:
I expected to see this happen: no download / network access during the build phase, please.
Instead, this happened: I got the above.
The pkgsrc packaging system insists on checksumming all the build components, all to be downloaded in the "fetch" phase and verified against already-recorded checksums, and therefore sets up an un-resolvable proxy to trap exactly this "anti-packaging" behavior. Doing network access of any type during the build phase is at best considered to be "bad form", as the components which go into the build could then vary depending on external unverifiable factors, possibly causing the build to produce inconsistent results between different builds. At worst this could be a security issue.
This means that the 1.81.0 tarball isn't completely "frozen"...
Hints for working around this gratefully accepted.
The text was updated successfully, but these errors were encountered: