Date: Tue, 13 Dec 2022 16:49:53 -0800 From: Xin LI <delphij@gmail.com> To: Roger Marquis <marquis@roble.com> Cc: freebsd-ports@freebsd.org Subject: Re: lang/rust is super slow to build Message-ID: <CAGMYy3vBKnroT4OJpsYGOckAf79AMXiARmCkNDuDgt2jEfmZ6A@mail.gmail.com> In-Reply-To: <39n96570-44r2-opnp-512n-po85597n6qn6@mx.roble.com> References: <EDE0639D-04CE-44C6-922D-159F45576296@patmaddox.com> <c2c55e9a-3af7-19b9-a9f4-060cd4e1f584@bluerosetech.com> <CAGMYy3shq_Jdgd7-GppOJsGKup=RpUk-p%2B=OBbOs5107b1aWhw@mail.gmail.com> <39n96570-44r2-opnp-512n-po85597n6qn6@mx.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--00000000000018bb6f05efbf1ef4 Content-Type: text/plain; charset="UTF-8" On Tue, Dec 13, 2022 at 3:32 PM Roger Marquis <marquis@roble.com> wrote: > > IMHO the ports collection should provide and use prebuilt packages of > > compilers (LLVM, GCC, Rust, etc.) built from the FreeBSD packages > builder, > > and ports framework (possibly also the base system) should be changed to > > use prebuilt packages by default. > > That would violate the principle of least surprise. If the same command > used with one port compiles from source but when used from another port > downloads a pre-built binary that's to be avoided (whether or not some > java ports already do this). > POLA doesn't mean we can not make reasonable changes to the existing practices. In fact, poudriere is already using prebuilt packages: when a set of packages depends on GCC, for example, it would build a binary package, then use that binary package for building these packages instead of building GCC over and over again. > If we're talking about Poudriere then please first consider better > build-time optimizations than downloading binaries that may have > security implications and will change over time. > Well optimization is an orthogonal goal. We should explore build time optimizations, but that doesn't change the fact that repeatedly building the same source artifact shall generate the same binary artifacts. Optimization means one can build these binaries faster when they want, and using prebuilt artifacts means one doesn't have to rebuild them over and over again, which is usually not needed. Using prebuilt binaries is not necessarily compromising security when done right. I think to ensure safety of these prebuilt binaries, we need to invest in e.g. making package builds reproducible (so an independent third party can audit and validate that the binaries are actually built from the source that they claimed to be when they want), ensure that the builders are safe, and sign the packages on the builders. > > Tangent: If we're talking about additional make (not pkg) functionality > then please add a constant to only create packages, for the target app > and all dependencies, and install them only using pkg (the OpenBSD > model). > > Roger > > --00000000000018bb6f05efbf1ef4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:monospace,monospace"><br></div></div><div class=3D"gmail_quote"><d= iv dir=3D"ltr" class=3D"gmail_attr">On Tue, Dec 13, 2022 at 3:32 PM Roger M= arquis <<a href=3D"mailto:marquis@roble.com">marquis@roble.com</a>> w= rote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p= x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> IMHO = the ports collection should provide and use prebuilt packages of<br> > compilers (LLVM, GCC, Rust, etc.) built from the FreeBSD packages buil= der,<br> > and ports framework (possibly also the base system) should be changed = to<br> > use prebuilt packages by default.<br> <br> That would violate the principle of least surprise.=C2=A0 If the same comma= nd<br> used with one port compiles from source but when used from another port<br> downloads a pre-built binary that's to be avoided (whether or not some<= br> java ports already do this).<br></blockquote><div><br></div><div><div class= =3D"gmail_default" style=3D"font-family:monospace,monospace">POLA doesn'= ;t mean we can not make reasonable changes to the existing practices.</div>= <div class=3D"gmail_default" style=3D"font-family:monospace,monospace"><br>= </div><div class=3D"gmail_default" style=3D"font-family:monospace,monospace= ">In fact, poudriere is already using prebuilt packages: when a set of pack= ages depends on GCC, for example, it would build a binary package, then use= that binary package for building these packages instead of building GCC ov= er and over again.</div></div><div>=C2=A0</div><blockquote class=3D"gmail_q= uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2= 04);padding-left:1ex"> If we're talking about Poudriere then please first consider better<br> build-time optimizations than downloading binaries that may have<br> security implications and will change over time.<br></blockquote><div><br><= /div><div><div class=3D"gmail_default" style=3D"font-family:monospace,monos= pace">Well optimization is an orthogonal goal.=C2=A0 We should explore buil= d time optimizations, but that doesn't change the fact that repeatedly = building the same source artifact shall generate the same binary artifacts.= =C2=A0 Optimization means one can build these binaries faster when they wan= t, and using prebuilt artifacts means one doesn't have to rebuild them = over and over again, which is usually not needed.</div><div class=3D"gmail_= default" style=3D"font-family:monospace,monospace"><br></div><div class=3D"= gmail_default" style=3D"font-family:monospace,monospace">Using prebuilt bin= aries is not necessarily compromising security when done right.=C2=A0 I thi= nk to ensure safety of these prebuilt binaries, we need to invest in e.g. m= aking package builds reproducible (so an independent third party can audit = and validate that the binaries are actually built from the source that they= claimed to be when they want), ensure that the builders are safe, and sign= the packages on the builders.</div></div><div>=C2=A0</div><blockquote clas= s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r= gb(204,204,204);padding-left:1ex"> <br> Tangent: If we're talking about additional make (not pkg) functionality= <br> then please add a constant to only create packages, for the target app<br> and all dependencies, and install them only using pkg (the OpenBSD<br> model).<br> <br> Roger<br> <br> </blockquote></div></div> --00000000000018bb6f05efbf1ef4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3vBKnroT4OJpsYGOckAf79AMXiARmCkNDuDgt2jEfmZ6A>