I would like to add the following entry to the table of build
profiles in BuildProfileSpec:

Profile anme: `cargo-upstream`
Can cause changes to built binaries, including functional chnges. (Y)
Should not cause changes to set of build debs. (N)
Description:
Obtain Rust dependencies from crates.io, not from Debian; use a
`Cargo.lock` from the source package if there is one. Will usually
cause cargo to make network accesses. Ideally, behaviour of the
resulting programs will be the same, but this is not guaranteed.

This is useful when developing packages which are to be uploaded to
Debian, but whose build dependencies are not yet available in the
targeted suite.

It allows a Debian maintainer or user to more easily rebuild the
package in a different suite to the one targeted, and can allow
unification of upstream (crates.io-based) and Debian development
without needing to carry a build system patch.

Particularly, it will sometimes ease the task of getting (leaf)
packages in Debian, as other aspects of the packaging can more easily
be tested separately from working on getting the dependencies in.

This build profile ought only to be used in packages that are intended
to appear in Debian (or a derivative) with .debs built from in-distro dependencies (ie the dh_cargo-style local cargo replacement
repository, containing). In such packages, obtaining dependencies
locally from within-distro is the default behaviour without
-Pcargo-upstream.

Invocation of this build profile will generally only be appropriate in
the context of manual development, or package-specific near-upstream
release workflows. Certainly this profile ought not to be activated
for uploads to Debian, as it makes the package build depend on
out-of-distro inputs (and relies on external network access at build
time).

For now, I expect to use this only in an ad hoc fashion in affected
packages. (I have a number of candidates.)

However, this could be a generally useful feature for Debian's cargo
tooling to support, and I think it could do so in a general way so
that this profile would be available in most Debian packages
containing Rust code, without package-specific work. Whether to
implement such a feature is a matter for the maintainers of dh_cargo
et al.; IMO the build profile registration is useful even ad-hoc,
without any general feature.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Ian,

On Thu, Dec 15, 2022 at 10:41:13AM +0000, Ian Jackson wrote:

I would like to add the following entry to the table of build
profiles in BuildProfileSpec:

Profile anme: `cargo-upstream`
Can cause changes to built binaries, including functional chnges. (Y)
Should not cause changes to set of build debs. (N)
Description:
Obtain Rust dependencies from crates.io, not from Debian; use a
`Cargo.lock` from the source package if there is one. Will usually
cause cargo to make network accesses. Ideally, behaviour of the
resulting programs will be the same, but this is not guaranteed.

[...]

I have just one question: why make this rust-specific? I think a similar
thing might be useful for golang packages (who also don't support shared libraries), or, heck, even Perl (if I'm willing to test that the package
works while I have the not-yet-packaged dependencies in my ~/perl5/lib)

--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

I will have a Tin-Actinium-Potassium mixture, thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[ reply to d-devel only, as more suitable for Debian-wide issue ]

Quoting Ian Jackson (2022-12-15 11:41:13)

I would like to add the following entry to the table of build
profiles in BuildProfileSpec:

Profile anme: `cargo-upstream`
Can cause changes to built binaries, including functional chnges. (Y)
Should not cause changes to set of build debs. (N)
Description:
Obtain Rust dependencies from crates.io, not from Debian; use a
`Cargo.lock` from the source package if there is one. Will usually
cause cargo to make network accesses. Ideally, behaviour of the
resulting programs will be the same, but this is not guaranteed.

This is useful when developing packages which are to be uploaded to
Debian, but whose build dependencies are not yet available in the
targeted suite.

Similar pain for other upstream ecosystems as well - I know about npm
for NodeJS modules, but imagine it is similar for Java and others as
well.

What is the benefit of introducing a standardized flag for this
relatively narrow scope, compared to doing non-standardized fetching of
crates _before_ package build and building with those embedded?
Example of doing that is here: https://salsa.debian.org/debian/helvum (essentially doing `cargo vendor --versioned-dirs debian/vendorlibs`).

If there is really a need for a standardized flag, then what is the
benefit of a narrow one specific to cargo, compared to a more general "fetches-source-during-build" that would be suitable also for e.g.
NodeJS fetching npm modules?


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============%75474526687762019=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmObEQgACgkQLHwxRsGg ASEtQA//b/LumyiZQ538tmqVVU5tz1lHYqfdFrl8/hrf9EtlcHTuW4oQZ/yAjBap 2oYnvKYBk3RGkqaZZcyONUiWcMEaaWI3X2CTthAdKsLM4IW2uzUWHDTS7AzKFTrh uv0CUgcEdBk+sde/koZAxjaeT4+ftK+nWBNY+nFe1u4vUHHJk+CJ4jfYWGzWTEuU OKa2h0KrXkFuazEHIgI0nS/QYooWook4lim4hJcCk20djXwdzEQ2SmPsPlVcy6wQ CYJP6yC+vDJCGlGBQAjotRXi1yuG1y8EIpJRDe1RpMPXLwtFN6psS7THcPpIpBee y9bgulM6Ltzr2jt5Z9j9cvwWGO2BPM+8nQ907bPbYXzvCJw1yRJbU/duuAuQ+uvl dQC66ykje7eqUq1qn3DDpuQITaqBC+8Mr2v2XZZKaficJ547GLMO1aXtWIuT2qUo dZ6kBEKHNOBL6tDc07JzFMw+wPM3m9dLURi+L3Ti

Jonas Smedegaard writes ("Re: Proposed `cargo-upstream` dpkg-buildpackage etc. build profile"):

Similar pain for other upstream ecosystems as well - I know about npm
for NodeJS modules, but imagine it is similar for Java and others as
well.

Yes.

What is the benefit of introducing a standardized flag for this
relatively narrow scope, compared to doing non-standardized fetching of crates _before_ package build and building with those embedded?
Example of doing that is here: https://salsa.debian.org/debian/helvum (essentially doing `cargo vendor --versioned-dirs debian/vendorlibs`).

IDK what precisely you mean there, and you've liked to the repo as a
whole so I'm not sure what to look for. Maybe you mean "what's wrong
with pretending to vendor the dependencies" ?

Whatever approach is taken, it has to be controlled somehow. For
example, the paths to dependencies need to be adjusted, or the use of
the Debian cargo wrapper enabled/disabled.

That control can be done by: (i) modifying the package source code
(which is much more a pain, even if it's a toggle in a single place),
(ii) ad-hoc environment variables or something (which don't survive
sbuild) or (iii) a build profile.

ISTM that this kind of "build this package in s funky way" situation
is precisely what build profiles are good for.

If there is really a need for a standardized flag, then what is the
benefit of a narrow one specific to cargo, compared to a more general "fetches-source-during-build" that would be suitable also for e.g.
NodeJS fetching npm modules?

Wouter made the same point - I will reply there, to both the CC lists.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Wouter Verhelst writes ("Re: Proposed `cargo-upstream` dpkg-buildpackage etc. build profile"):

I have just one question: why make this rust-specific? I think a similar thing might be useful for golang packages (who also don't support shared libraries), or, heck, even Perl (if I'm willing to test that the package works while I have the not-yet-packaged dependencies in my ~/perl5/lib)

You are absolutely right that many other upstream (language-specifc)
package managers will have analogous situations.

I think *each* of these should have their *own* build-profile, rather
than one portmanteau one. If a package has both Rust and NPM build-dependencies, say, a user may very well want to use Rust
dependencies from Debian and NPM dependencies from upstream, or vice
versa.

The profile name should be named after the upstream package manager
being influenced, not after the programming language, since some
languages have several.

So I think that we will probably want
cargo-upstream
npm-upstream
golang-upstream (is this the right name?)
etc.

Maybe this means that the name ought to be the other way arond, so
they all group together in the table, like the `no*` options.
upstream-cargo
upstream-npm
upstream-golang (is this the right name?)

I don't want to speak for those working with these other package
managers, so I don't propose to add all of those right away. But
establishing the precedent will hopefulloy be helpful for them

So for now I'm proposing to add just the cargo one. If someone
working with Node packages (say) tells me "we want this for npm too"
then great and we should do that right away. Otherwise we should
wait until ti's wanted.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Ian Jackson (2022-12-15 14:05:32)

Jonas Smedegaard writes ("Re: Proposed `cargo-upstream` dpkg-buildpackage etc. build profile"):

What is the benefit of introducing a standardized flag for this
relatively narrow scope, compared to doing non-standardized fetching of crates _before_ package build and building with those embedded?
Example of doing that is here: https://salsa.debian.org/debian/helvum (essentially doing `cargo vendor --versioned-dirs debian/vendorlibs`).

IDK what precisely you mean there, and you've liked to the repo as a
whole so I'm not sure what to look for. Maybe you mean "what's wrong
with pretending to vendor the dependencies" ?

Whatever approach is taken, it has to be controlled somehow. For
example, the paths to dependencies need to be adjusted, or the use of
the Debian cargo wrapper enabled/disabled.

That control can be done by: (i) modifying the package source code
(which is much more a pain, even if it's a toggle in a single place),
(ii) ad-hoc environment variables or something (which don't survive
sbuild) or (iii) a build profile.

ISTM that this kind of "build this package in s funky way" situation
is precisely what build profiles are good for.

I disagree that it "has to be controlled somehow" *during build*, which
build profiles is about.

Looking at current list of profile names at https://wiki.debian.org/BuildProfileSpec#Registered_profile_names it
seems to me that none of them involve violating the principle of source
package providing source for the build.

Essentially, you are proposing to formalize a way for injecting source
during build.

Debian currently has tooling for helping fetch source _before_ build,
most notably uscan, which does not involve defining a build profile
because what is built is static.

What I question is the sense of introducing dynamic-source builds, as
opposed to mangle-source-before-build which as a proof of concept is
possible to do with Rust creates through calling `cargo vendor ...`
_outside_ of regular dpkg-source mandated build targets.


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============20047881971053210=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmObN1IACgkQLHwxRsGg ASFDAQ//ZTcuuOtr0c0T6+Popmz49mHGL2s0/li0GQamzK2CmhPpo6BMp8vz7vU0 3fClOj4KyoqNSusKLEvtN4vDVH5GWhenEKK1B04iIHnsCYqN/HX/0xa4NMWJixLj Ao/efWLoRVSDEe4lMuqnkrbj8uUuT1lil7ZNau4VHtaYwz6ePaAvEdEYO5KpZwpG +XHeU/MogeUM4jHKa4wy8lsZYMmeZ/T07KCgiRRhCF3yx20n9Xn9DEXO4rF9TM9d /ZeO2dqUWVqBXIQY20RCEAVzNj4o4517zOPsu9hAPx5WI8pzeCtBdgCnCIy7/1xC d2LlyNLPo7NZw+tCezl/NdspE13vji3VDxCYGhuwQ3IZLJO1179eNtBsD6HQBklO QsQVshud5mg1QU+C3kbdvIjIPmH2aUN4YfzkOaQndOFJOnQQzyzt5lYh96s/GrH1 soz4m2C+W1WsPM2wciRCwWAMRIYmnBvj2Z+dB7cd

Ian Jackson <ijackson@chiark.greenend.org.uk> writes:

I would like to add the following entry to the table of build
profiles in BuildProfileSpec:

Profile anme: `cargo-upstream`
Can cause changes to built binaries, including functional chnges. (Y)
Should not cause changes to set of build debs. (N)
Description:
Obtain Rust dependencies from crates.io, not from Debian; use a
`Cargo.lock` from the source package if there is one. Will usually
cause cargo to make network accesses. Ideally, behaviour of the
resulting programs will be the same, but this is not guaranteed.

This is useful when developing packages which are to be uploaded to
Debian, but whose build dependencies are not yet available in the
targeted suite.

I think this is a great idea.

In addition to the benefits you list (and less importantly, because
there's less direct affect on Debian), having this feature available would
make it easier to create a first pass of a package of a Rust tool intended
for local use. I often build semi-broken short-cut packages locally of
things I need on some system but haven't yet found the time to make them properly ready for Debian, and then gradually finish the work to get them
into Debian. It would be very useful to have this support to get over the initial barrier to making a Debian package.

I think it would increase the likelihood that I'd eventually do the work
to get all the way to an uploadable Debian package, whereas if it's
difficult to bootstrap from Cargo, I'm much more likely to let laziness
win, just build a static binary, and copy it around.

This is why I don't agree with Jonas: yes, there *are* other ways to
achieve the same goal, but they're more complicated and harder to explain.
The user experience of this build profile looks a lot simpler and cleaner.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Ian,

Thank you very much for immediately taking this to the list. The
discussion I've seen thus far seems very constructive and useful to me.
Thanks to the other participants as well.

On Thu, Dec 15, 2022 at 10:41:13AM +0000, Ian Jackson wrote:

I would like to add the following entry to the table of build
profiles in BuildProfileSpec:

Profile anme: `cargo-upstream`
Can cause changes to built binaries, including functional chnges. (Y)
Should not cause changes to set of build debs. (N)
Description:
Obtain Rust dependencies from crates.io, not from Debian; use a
`Cargo.lock` from the source package if there is one. Will usually
cause cargo to make network accesses. Ideally, behaviour of the
resulting programs will be the same, but this is not guaranteed.

I think that you imply here that all of the rust libraries would be
annotated <!cargo-upstream>. Do you confirm?

Yes:

I caution that we increase our (uncompressed) sources by 200KB for
adding this. This assumes changing every package, but the scope
isn't entirely clear, see below. Do you confirm that this is the
intention and that you think this increase is fine?

No:

Would this profile show up in debian/control in any way? If not, why
use a build profile rather than an option?

(Please do skip questions that do not apply.)

Which packages should support this profile? I see the value for
applications. Do you also intend it for libraries? If yes, how do they
benefit?

How do you intend to transition packages to support this profile?
Should that happen on an as-needed basis? Should it happen as a mass
commit? Do you want it mass uploaded?

This is useful when developing packages which are to be uploaded to
Debian, but whose build dependencies are not yet available in the
targeted suite.

Given all of the mails in the thread thus far, you've convinced me:
* That the requested feature is useful.
* That it should be ecosystem-specific.
* That it needs to be easy to use (and that build profiles satisfy this
requirement).

On the bike coloring front, I do prefer putting the package ecosystem
last (i.e. upstream-cargo > cargo-upstream) for the consistency reasons
that you gave in a reply.

I would also question the "upstream" part as it wasn't obvious to me
initially. Good alternatives that aren't too long are not easy to come
by, but maybe you have a reason to reject "external"? I think "external"
would more strongly highlight that a build is no longer self-contained.

In any case, I think the naming questions are solvable one way or
another, so please focus on the non-naming aspects first. I don't feel
too strongly about naming.

However, this could be a generally useful feature for Debian's cargo
tooling to support, and I think it could do so in a general way so
that this profile would be available in most Debian packages
containing Rust code, without package-specific work. Whether to
implement such a feature is a matter for the maintainers of dh_cargo
et al.; IMO the build profile registration is useful even ad-hoc,
without any general feature.

Yeah, having this supported generically seems very useful. It would be
nice to have a supportive reply from one of the dh-cargo maintainers
here. (I do not see this as a requirement.)

I note that "without package-specific work" implies that you wouldn't
attach build profiles to Build-Depends, which was my initial question.
I'll stop second guessing here and wait for your answer.

Helmut

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Helmut Grohne writes ("Re: Proposed `cargo-upstream` dpkg-buildpackage etc. build profile"):

Thank you very much for immediately taking this to the list.

You're welcome.

Thanks for the review and the penetrating questions.

I think that you imply here that all of the rust libraries would be
annotated <!cargo-upstream>. Do you confirm?

Yes.

Yes:

I caution that we increase our (uncompressed) sources by 200KB for
adding this. This assumes changing every package, but the scope
isn't entirely clear, see below. Do you confirm that this is the
intention and that you think this increase is fine?

No, this is not my intention. And IMO that increase would be
undesirable.

This facility is certainly cxompletely useless for a Rust library
package - those whose .debs are the Rust text and metadata, for
building other programs against. Those things don't even have "real"
Rust build-dependencies - the Rust build deps are just there for
testing etc. And there is no use to anyone building such a package if
they are using upstream crates.io packages.

So at the very least we're limiting this to leaf packages containing
binaries. And, probably even then, this will only be useful when the
Debian or upstream maintainers want this hybrid or stepping stone
workflow.

I was imagining that this would be done ad-hoc by a maintainer when
they had a reason to do it, not that it would be supported by even
every leaf package. In some cases it might be a transitional state.

I do think it would be useful for the central tooling to offer this
build profile for every package, but I don't think it is appropriate
to annotate all the Rust build depends for every package this way.
Tools like debcargo ought *not* to add this build profile to the Rust
deps.

If this profile turns out to be widely desired for "leaf packages at
random", filtering (or dummy-satisfying) the build dependencies should
be done some other way.

Which packages should support this profile? I see the value for
applications. Do you also intend it for libraries? If yes, how do they benefit?

They don't.

How do you intend to transition packages to support this profile?
Should that happen on an as-needed basis? Should it happen as a mass
commit? Do you want it mass uploaded?

As needed. No mass commit, no mass upload, no automated change.

Given all of the mails in the thread thus far, you've convinced me:
* That the requested feature is useful.
* That it should be ecosystem-specific.
* That it needs to be easy to use (and that build profiles satisfy this
requirement).

On the bike coloring front, I do prefer putting the package ecosystem
last (i.e. upstream-cargo > cargo-upstream) for the consistency reasons
that you gave in a reply.

I think I'm sold on that name question.

I would also question the "upstream" part as it wasn't obvious to me initially. Good alternatives that aren't too long are not easy to come
by, but maybe you have a reason to reject "external"? I think "external" would more strongly highlight that a build is no longer self-contained.

I don't have strong feelings about this. I chose "upstream" because
that seems to be the term of art that people working in this space
use, to distinguish the general public package repo, from the Debian
one.

However, this could be a generally useful feature for Debian's cargo tooling to support, and I think it could do so in a general way so
that this profile would be available in most Debian packages
containing Rust code, without package-specific work. Whether to
implement such a feature is a matter for the maintainers of dh_cargo
et al.; IMO the build profile registration is useful even ad-hoc,
without any general feature.

Yeah, having this supported generically seems very useful. It would be
nice to have a supportive reply from one of the dh-cargo maintainers
here. (I do not see this as a requirement.)

I note that "without package-specific work" implies that you wouldn't
attach build profiles to Build-Depends, which was my initial question.
I'll stop second guessing here and wait for your answer.

I'm not sure precisely how this feature could (or should) be made
available to *all* application packages in a central way. Having
tools like debcargo automatically add the profile to the build deps
produces a lot of bloat. I'm hoping there is a better way.

But even without modifying the build dependencies, it is a lot easier
to cause a build to run without the stated build deps being satisfied,
than it is to do violence to the package build system.

This could be made easier. Maybe tools like sbuild could have a
sepaarate option to disregard build deps matching a wildcard pattern,
or something.

I am hoping to leave these considerations for the future.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Ian,

On Thu, Dec 15, 2022 at 11:44:34PM +0000, Ian Jackson wrote:

I'm not sure precisely how this feature could (or should) be made
available to *all* application packages in a central way. Having
tools like debcargo automatically add the profile to the build deps
produces a lot of bloat. I'm hoping there is a better way.

I think this becomes the crux of the matter. I see basically two
distinct ways to move forward:

A

Do not annotate Build-Depends. We've seen a number of reasons for not
doing it, but the most significant are bloating sources and that it is
quite mechanical work while editing debian/control is usually manual.

In this case, a build profile is the wrong tool for the job. The value
for draw from build profiles precisely comes from formalizing their
effects in debian/control. If your profile skips this step, then it is
not the right tool.

But even without modifying the build dependencies, it is a lot easier
to cause a build to run without the stated build deps being satisfied,
than it is to do violence to the package build system.

I concur, but in this case, it can be a DEB_BUILD_OPTIONS or some other variable.

Admittedly, I think that the value of this feature significantly reduces without annotating Build-Depends, because you can no longer just use
sbuild or pbuilder. The ease of use suffers.

B

In this case, the profile description should be more clear about the
intended scope (rust application packages).

I also do not see us automating the update to Build-Depends.

This could be made easier. Maybe tools like sbuild could have a
sepaarate option to disregard build deps matching a wildcard pattern,
or something.

The idea is good in principle. Let me do a brief excursion into
Multi-Arch for comparison. By default, we have an architecture
constraint on dependencies. It can be lifted either by M-A:foreign on
the target of the edge or by :any on the source of the edge. A build
profile is a bit like :any and annotates the source of an edge. Your
proposed wildcard pattern would be a target annotation for build
profiles in this analogy while the current profile implementation has no
way to do such target annotations.

This idea is also applicable beyond rust. With the nopython build
profile, we might want to automatically annotate Python dependencies. Unfortunately, we are now in a place where a significant portion of
packages uses Python modules during build (e.g. sphinx) while not
producing any Python modules or extensions as output. As such, we cannot mechanically tell how such a dependency is being used. Maybe a package
later contains a rust crate that is not shipped, but only used during
build. In this case, we wouldn't want to annotate the relevant
dependencies either.

So I think annotating rust Build-Depends has to be a semi-manual task at
least. Updating dh-cargo or debcargo to automatically adapt its
behaviour still seems useful though as that reduces the amount of work
to updating Build-Depends.

What are your thoughts on updating Build-Depends?

Helmut

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Helmut Grohne writes ("Re: Proposed `cargo-upstream` dpkg-buildpackage etc. build profile"):

On Thu, Dec 15, 2022 at 11:44:34PM +0000, Ian Jackson wrote:

I'm not sure precisely how this feature could (or should) be made
available to *all* application packages in a central way. Having
tools like debcargo automatically add the profile to the build deps produces a lot of bloat. I'm hoping there is a better way.

I think this becomes the crux of the matter. I see basically two
distinct ways to move forward:

...

What are your thoughts on updating Build-Depends?

I think that in packages where the maintainer has deliberately chosen
to support this build profile, the maintainer should annotate the Build-Depends.

B

In this case, the profile description should be more clear about the
intended scope (rust application packages).

Yes.

Is "application package" precisely the right term? It could also
apply to: packages which provide shared objects (eg a .so plugin);
ABI/API libraries (eg trad C libraries whose innards are now rewritten
in Rust); packages which provide an executable that isn't an
application.

The possible scope includes any package whose .deb contains
executables (including possibly WASM, as well as native code) made by
compiling Rust. It might even include packages where Rust is used
only as part of the build system.

One way to describe the exception would be to say something like
(except Rust library packages)
or
(except Rust library packages themselves)

I also do not see us automating the update to Build-Depends.

I agree but for different reasons to yours. I don't want this done to
every Rust leaf package routinely, which would be the natural end
point of automating this.

This could be made easier. Maybe tools like sbuild could have a
sepaarate option to disregard build deps matching a wildcard pattern,
or something.

The idea is good in principle. Let me do a brief excursion into
Multi-Arch for comparison. By default, we have an architecture
constraint on dependencies. It can be lifted either by M-A:foreign on
the target of the edge or by :any on the source of the edge. A build
profile is a bit like :any and annotates the source of an edge. Your
proposed wildcard pattern would be a target annotation for build
profiles in this analogy while the current profile implementation has no
way to do such target annotations.

Yes. The information would ideally be centralised: "if you have a Build-Dependency matching librust-*-dev, disregard it with this
build-profile". So the edges would be "annotated" but implicitly.

Failing that I guesss we could add a general facility of this shape
Disregard-build-depends-with-build-profile: upstream-cargo
a la M-A.

This idea is also applicable beyond rust. With the nopython build
profile, we might want to automatically annotate Python dependencies. Unfortunately, we are now in a place where a significant portion of
packages uses Python modules during build (e.g. sphinx) while not
producing any Python modules or extensions as output. As such, we cannot mechanically tell how such a dependency is being used. Maybe a package
later contains a rust crate that is not shipped, but only used during
build. In this case, we wouldn't want to annotate the relevant
dependencies either.

The analogy with "nopython" is rather misleading. (You could have
"norust" too; not sure if that's in the list right now.)

With nopython, we want to *avoid doing the Python things at all*. But
"the Python things" here isn't "all Python things" - it's "certain
Python things that appear in the outputs". So that can't be done as a
blanket exclusion on B-d.

With upstream-cargo, we want to *do all the Rust things, but get them
all from upstream crates.io*. This should affect *every* dependency
on a cargo package (except ones that are within the source package
itself).

So if a package that previously didn't do any Rust things, gains a
Rust crate that is not "shipped" (to /usr/share/cargo/registry), then
this buid profile does become nontrivially applicable. (Of course
this build profile is trivially applicable to packages which don't
involve cargo at all).

The reason why the upstream-cargo profile ought not to be provided for
a Rust library crate is not becuase it's incoherent or wrong in a
narrow sense.

A Rust library crate typically *does* actually run rustc during rules
build, as a check:
https://deb.debian.org/debian/pool/main/r/rust-cxx/rust-cxx_1.0.73-1.dsc
And in principle it is perfectly coherent to say "please build this
source package, but do the check with upstream Rust Dependencies".

But this is not *useful* to support as a build profile. Narrowly,
because you might as well just say "nocheck" and run the "cargo test"
yourself by hand.

But, more relevantly, and broadly: no-one needs to do this. If you
are working on a Rust library, then either (i) you are doing this as
part of work to get the Rust library into Debian, in which case making
some kind of hybrid situation like this is just going to lead to
confusion and pain - you should use the Debian Rust universe, and
build fromk the bottom up; or (ii) you *aren't* trying to use the
Debian Rust ecosystem at all, in which case why are you bothering ?

IOW the reason the build profile isn't applicable to Rust library
source packages is because a Rust library source package produces only
Rust library .debs, but the use case for the build profile is
precisely to use upstream crates instead of Rust library .debs.

So I think annotating rust Build-Depends has to be a semi-manual task at least. Updating dh-cargo or debcargo to automatically adapt its
behaviour still seems useful though as that reduces the amount of work
to updating Build-Depends.

Yes.

And, also, having the tooling honour this build-profile allows the
user to bodge the situation, when they want to build a naive
compiled-Rust-code package in another context. *That* could be done
with a DEB_BUILD_OPTION but it doesn't make much sense to have the
same thing both as a (fully-supported, but manually applied) build
profile and a (requires bodging, but universally applicable) build
option.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Russ Allbery (2022-12-15 17:41:15)

Ian Jackson <ijackson@chiark.greenend.org.uk> writes:

I would like to add the following entry to the table of build
profiles in BuildProfileSpec:

Profile anme: `cargo-upstream`
Can cause changes to built binaries, including functional chnges. (Y)
Should not cause changes to set of build debs. (N)
Description:
Obtain Rust dependencies from crates.io, not from Debian; use a
`Cargo.lock` from the source package if there is one. Will usually
cause cargo to make network accesses. Ideally, behaviour of the
resulting programs will be the same, but this is not guaranteed.

This is useful when developing packages which are to be uploaded to
Debian, but whose build dependencies are not yet available in the
targeted suite.

I think this is a great idea.

In addition to the benefits you list (and less importantly, because
there's less direct affect on Debian), having this feature available would make it easier to create a first pass of a package of a Rust tool intended for local use. I often build semi-broken short-cut packages locally of things I need on some system but haven't yet found the time to make them properly ready for Debian, and then gradually finish the work to get them into Debian. It would be very useful to have this support to get over the initial barrier to making a Debian package.

I think it would increase the likelihood that I'd eventually do the work
to get all the way to an uploadable Debian package, whereas if it's
difficult to bootstrap from Cargo, I'm much more likely to let laziness
win, just build a static binary, and copy it around.

This is why I don't agree with Jonas: yes, there *are* other ways to
achieve the same goal, but they're more complicated and harder to explain. The user experience of this build profile looks a lot simpler and cleaner.

I don't have a firm opinion here, so wonder what you disagree with, Russ.

For the record, prior to this thread Ian reached out to me privately
where we discussed my work on forking dh-cargo to behave more
"Debian-ish" than what is developed by the Rust team.

Perhaps this is a language thing: When I "question" Ians proposed
approach, I do not imply that I reject it or am against it, only that I
want to better understand it.

Since my last post in this thread, Ian reached out to me privately, but
have chosen not to share that conversation here, which leaves me in an
odd situation appearing as being against this proposal. I am not!


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============d00277455843103450=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmOccfUACgkQLHwxRsGg ASHUsQ//YihgQtVPTga2MKFDhxXIDYkNBijj56jZn+2uYQRLXkS2Xz/S/CHa7GnE CZ62pNxSTiFudjMf2+GEODWAV3MInhUEH11x6t/iQ4yl+uykSoFpv+5Z3F7S+HAN XmBu0HPPGib6UyHctWdGl5sB8xGFW1XDNZbOSEA2Y7NUkVXANFFCbzipX5JSz/2Z /2qM1Hh1EFsgbZj1ImUqH13+f+YbeFLGdMt866fAyrHt+gi63cp+bHJi7MhI33Hs 1ZkfjO/SaySEFyHHfUvbNvH/Ezj/E5RY8zTM78HH9RWjo+c8rD+LzshBldGA3I06 mk6GOzgMkSVgR6OEpiLmFSH7P2W9kwsHTOUgxPu1CFHDHdDfpEqj0fDj1IS3qkbE Pc0UKeDJV2IVg/Rz5L9jzm+/PDLtflR0JBAAgFhCTgumslWU1cgfL/xmBOt88SKA 0uNKIP9LFUjgGizgUWyC4AmnIvQXMsRdv+p9Ad/k

Jonas Smedegaard <jonas@jones.dk> writes:

Quoting Russ Allbery (2022-12-15 17:41:15)

This is why I don't agree with Jonas: yes, there *are* other ways to
achieve the same goal, but they're more complicated and harder to
explain. The user experience of this build profile looks a lot simpler
and cleaner.

I don't have a firm opinion here, so wonder what you disagree with,
Russ.

For the record, prior to this thread Ian reached out to me privately
where we discussed my work on forking dh-cargo to behave more
"Debian-ish" than what is developed by the Rust team.

Perhaps this is a language thing: When I "question" Ians proposed
approach, I do not imply that I reject it or am against it, only that I
want to better understand it.

Oh, I'm sorry, this is probably just a sequence of misunderstandings. I
think I misunderstood your message as being somewhat opposed, and then I
think you read my "disagree" as stronger than I meant it. All I was
trying to say is that I think (based on my very sketchy understanding of
build profiles) that this would have a lower bar of entry for building non-Debian packages as a stepping stone to proper Debian packages than pre-downloading the dependencies.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Russ Allbery (2022-12-16 17:07:00)

Jonas Smedegaard <jonas@jones.dk> writes:

Quoting Russ Allbery (2022-12-15 17:41:15)

This is why I don't agree with Jonas: yes, there *are* other ways to
achieve the same goal, but they're more complicated and harder to
explain. The user experience of this build profile looks a lot simpler
and cleaner.

I don't have a firm opinion here, so wonder what you disagree with,
Russ.

For the record, prior to this thread Ian reached out to me privately
where we discussed my work on forking dh-cargo to behave more
"Debian-ish" than what is developed by the Rust team.

Perhaps this is a language thing: When I "question" Ians proposed
approach, I do not imply that I reject it or am against it, only that I want to better understand it.

Oh, I'm sorry, this is probably just a sequence of misunderstandings. I think I misunderstood your message as being somewhat opposed, and then I think you read my "disagree" as stronger than I meant it. All I was
trying to say is that I think (based on my very sketchy understanding of build profiles) that this would have a lower bar of entry for building non-Debian packages as a stepping stone to proper Debian packages than pre-downloading the dependencies.

Ah, indeed I failed to read nuance into your post. Sorry for my
unfounded criticism!

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============e90585370151043082=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmOcm3sACgkQLHwxRsGg ASGyGxAApDdzMfBl1RxUIDFIROoxunQ1CyhlTT59/Ez+MPH1B5pPhqbGvs0QbVxs vH8AtmyrlvQT/MmxTH+Rr4rm3EiG2PNsoG5DX4FnXnTYqFKJD+uHNK5jjNOHqOMA Q7djLyrSKXvBFCsTXu80L9gO4+Maus5ekFys6NG7HxiwLEqw/2CV/9PT1hJkkPav Gbzrp985t8ULIYzrzfzck4XvzKKwH8QKuOsuOsc2PGhi/gkvXM5SGd/GHvWP+W++ nhn2Ng1re2/N+w4lAAYLu2VChAWqR50lgDgLnSYjIk6Wbe1JngFjSB579tNigaD0 AaltzdjnRQGsKJpB7lFdOaLrY6z4EdD7ZiKuXcZ+3k2I520TQUsNayjaB3RCMa+d JX82ThQ/kkA9Ex3jSgPU8Wdsbwp8kQ280hzHOYR33nwHlH/Cu05amFZKXQC7h0KQ EqNuQ83HAQCvbwYfNt4wnoQKEqw8AlvPHWYfzPhp

On Fri, 16 Dec 2022 at 11:01:58 +0000, Ian Jackson wrote:

With nopython, we want to *avoid doing the Python things at all*. But
"the Python things" here isn't "all Python things" - it's "certain
Python things that appear in the outputs". So that can't be done as a blanket exclusion on B-d.

As a concrete example of this distinction, src:vulkan-loader runs a
Python script during build to regenerate some mechanically-generated C
code, but its only end result is a C library and some C/C++ headers. In principle it would be possible to have a build-profile that makes it use
the pre-generated version provided by upstream[1] instead of regenerating
it, perhaps <prebuilt> or something, but that would be outside the scope
of <!nopython> (and apparently not useful enough in this case for anyone
to want to implement it).

Conversely, the main end result of compiling src:avahi is a collection
of C libraries (and a daemon and some tools), but it optionally also
produces a Python module (and a non-essential Python program that uses
it). Excluding those Python parts with <!nopython> is in-scope: it's
reasonable to say "I want a C/C++ library stack with libavahi and others,
but I don't care about any Python bindings" (for instance for use inside
an app-container that is designed for C/C++ code).

smcv

[1] in the past the pre-generated version was used unconditionally,
until #981362 changed the build to regenerate it unconditionally

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thanks to everyone for the comments and review. I have written things
up on the wiki:
https://wiki.debian.org/BuildProfile/upstream-cargo
and added the entry here:
https://wiki.debian.org/BuildProfileSpec

Please comment here, if you think any of this doesn't make sense.

Thanks,
Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)