Re: lang/rust is super slow to build
- Reply: Roger Marquis : "Re: lang/rust is super slow to buildZ"
- In reply to: Roger Marquis : "Re: lang/rust is super slow to build"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 14 Dec 2022 00:49:53 UTC
On Tue, Dec 13, 2022 at 3:32 PM Roger Marquis <marquis@roble.com> wrote: > > IMHO the ports collection should provide and use prebuilt packages of > > compilers (LLVM, GCC, Rust, etc.) built from the FreeBSD packages > builder, > > and ports framework (possibly also the base system) should be changed to > > use prebuilt packages by default. > > That would violate the principle of least surprise. If the same command > used with one port compiles from source but when used from another port > downloads a pre-built binary that's to be avoided (whether or not some > java ports already do this). > POLA doesn't mean we can not make reasonable changes to the existing practices. In fact, poudriere is already using prebuilt packages: when a set of packages depends on GCC, for example, it would build a binary package, then use that binary package for building these packages instead of building GCC over and over again. > If we're talking about Poudriere then please first consider better > build-time optimizations than downloading binaries that may have > security implications and will change over time. > Well optimization is an orthogonal goal. We should explore build time optimizations, but that doesn't change the fact that repeatedly building the same source artifact shall generate the same binary artifacts. Optimization means one can build these binaries faster when they want, and using prebuilt artifacts means one doesn't have to rebuild them over and over again, which is usually not needed. Using prebuilt binaries is not necessarily compromising security when done right. I think to ensure safety of these prebuilt binaries, we need to invest in e.g. making package builds reproducible (so an independent third party can audit and validate that the binaries are actually built from the source that they claimed to be when they want), ensure that the builders are safe, and sign the packages on the builders. > > Tangent: If we're talking about additional make (not pkg) functionality > then please add a constant to only create packages, for the target app > and all dependencies, and install them only using pkg (the OpenBSD > model). > > Roger > >