Hi Tim,
thanks for the insight!
On 03.11.23 18:04, Tim Crawford via coreboot wrote:
Would we want to use `rustup`?
Yes.
So to use this, I have to kill my local Rust toolchain?
That's not a "local" rust toolchain. That's the distro-provided global toolchain.
Yes, but I deleted my local copy. Not all the copies in the world ;) I meant local as "not the rust(up) project's one".
You would remove the distro packages of `rustc` and `cargo` and use rustup instead. Rustup is a toolchain manager; It allows you to install multiple toolchain versions side-by-side, instead of just the 1 version the distro provides.
(I would hope Go has something comparable for managing multiple toolchain installs.)
I would hope this wouldn't be necessary and one toolchain could compile all the Rust programs (we'll need).
- Currently we have a chain of trust:
If we surrender the control about what to download (and install and run) to another program, we should probably warn the user. I had a quick look at `rustup` and `cargo` and couldn't find an answer if things can be specified by hash. I hope they can.
- our Git repository and the checked out commit (hash)
- hashes for files to download (e.g. for the GCC sources)
- those are checked into the repository
It's not hashes, but projects can use a `rust-toolchain.toml` file to control the exact Rust version used. e.g.:
Do you happen to know what cryptographic mechanisms are used to ensure that what the server delivers is what was asked for?
Nico