On Mon, Jun 10, 2024 at 04:47:33PM -0400, Stefan Hajnoczi wrote: > On Mon, 10 Jun 2024 at 16:27, Manos Pitsidianakis > <manos.pitsidiana...@linaro.org> wrote: > > > > On Mon, 10 Jun 2024 22:59, Stefan Hajnoczi <stefa...@gmail.com> wrote: > > >> Should QEMU use third-party dependencies? > > >> ----------------------------------------- > > >> [shouldqemuusethirdparty] Back to [TOC] > > >> > > >> In my personal opinion, if we need a dependency we need a strong > > >> argument for it. A dependency needs a trusted upstream source, a QEMU > > >> maintainer to make sure it us up-to-date in QEMU etc. > > >> > > >> We already fetch some projects with meson subprojects, so this is not a > > >> new reality. Cargo allows you to define "locked" dependencies which is > > >> the same as only fetching specific commits by SHA. No suspicious > > >> tarballs, and no disappearing dependencies a la left-pad in npm. > > >> > > >> However, I believe it's worth considering vendoring every dependency by > > >> default, if they prove to be few, for the sake of having a local QEMU > > >> git clone buildable without network access. > > > > > >Do you mean vendoring by committing them to qemu.git or just the > > >practice of running `cargo vendor` locally for users who decide they > > >want to keep a copy of the dependencies? > > > > > > Committing, with an option to opt-out. They are generally not big in > > size. I am not of strong opinion on this one, I'm very open to > > alternatives. > > Fedora and Debian want Rust applications to use distro-packaged > crates. No vendoring and no crates.io online access. It's a bit of a > pain because Rust developers need to make sure their code works with > whatever version of crates Fedora and Debian provide.
NB Fedora isn't actually that strict for Rust. The "no vendoring" policy is merely a "SHOULD", rather than a "MUST" requirement: https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_vendored_dependencies which is a more pragmmatic approach to the real world packaging where there's potentially 100's of deps in an application chain. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
