Web lists-archives.com

Re: Uncoordinated upload of the rustified librsvg




Hello!

On 11/7/18 8:07 PM, Josh Triplett wrote:
>> Well, I wouldn't bet on that. I know that a lot of people have the
>> feeling that rewriting everything in Rust will solve all problems
>> in software we have nowadays but that's not the case. Rewriting large
>> projects is associated with a high cost and not many companies are
>> willing to pay for that. Also, there have already been several
>> vulnerabilities in Rust and Cargo as well, so the safety is not
>> really an argument.
> 
> I really don't feel the need to recreate extensive language arguments
> here. I think it safe to say that Rust's small handful of documented
> issues in the standard library pales in comparison to the history of
> whole classes of bugs in C programs. But the point of this thread is not
> advocacy, it's simple observation.

I don't think the majority of bugs exist because of C language issues.

Do you have any data to undermine that argument?

> I'm not suggesting the world will get rewritten in Rust overnight. It
> seems a rather safe bet, however, that a non-zero number of additional
> Rust libraries and binaries will show up in the core ecosystem.

Sure. But also not 95%.

>>> Running old versions of a library is not a viable long-term strategy.
>>> Attempting to find alternatives written in C is not a viable long-term
>>> strategy either; that's running in the wrong direction. Ultimately, the
>>> new version will need uploading to Debian, and an architecture that
>>> wants to run a full desktop, or for that matter a server or embedded
>>> environment, will need to have LLVM support and Rust support.
>>
>> I know that. That's why I also criticized the upstream developer,
>> of librsvg, who happens to be a colleague of mine at SUSE, who was responsible
>> for that change.
> 
> For attempting to improve beyond C? Hardly a criticism.

How many CVEs were there on average in librsvg per year that were a result
of the language? Again, any data on that beyond assumption? I am seeing
8 CVEs in 6 years. I haven't looked into the details yet whether they were
a result of the C language or whether they were critical at all:

> https://www.cvedetails.com/vulnerability-list/vendor_id-283/product_id-23082/Gnome-Librsvg.html

>> Will be interesting to see what will happen in the future
>> when the rustified version of librsvg will try move into the enterprise
>> distributions.
> 
> Seems far less likely to encounter issues, given that enterprise
> distributions target mainstream architectures only.

That's not how enterprise distributions work at all. The main goal is to
not update at all if it's not necessary. It's not related to the architecture.

>>> I think it's reasonable for the *first* such library being uploaded to
>>> wait a little while to coordinate, which it did.
>>
>> It didn't even wait for Rust to stabilize on the architectures it was
>> recently bootstrapped for. There was no guarantee the Rust compiler will
>> work on arm32 or mips32 in the foreseeable future.
> 
> Define "stabilize". And in particular, how were people to know this from
> https://lists.debian.org/debian-devel-announce/2018/11/msg00000.html ?

Given the fact that you're Rust upstream, I think you should be aware of it.
If I know about these issues as an irregular Rust upstream contributor with
just around 20 patches better than you, you're not really making a compelling
argument.

>> Given the fact that Rust upstream is always introducing a significant number
>> of changes with each release, there is quite a chance of regressions of
>> the compiler on these architectures.
> 
> This does not relate. The language has active development, like any
> package that isn't dead upstream. What makes it any *more* likely to
> have regressions?

The release of completely new upstream versions every six weeks. Compare
that to OpenJDK, gcc or golang. None of these languages is introducing
such huge changes on a regular basis.

Are you denying the fact that there isn't a difference between and other
languages in this regard? I have worked with the Rust upstream sources
well enough to know these issues. You have a regression in Rust 1.25 and
you will have a very hard time trying to bisect the issues simply because
you cannot even build 1.25 using a 1.19 compiler because the language
has changed too much in the mean time. I know this is more a problem
with the compiler source itself than with other packages but I think
it still shows the current volatility of the language very well.

> What makes it likely to have regressions is a lack of direct support
> for such architectures upstream. As a random example: where are the bots
> that run testsuites on other architectures for PRs?

Well, I know that other languages don't have this issue. You cannot blame
the lack of these bots on me. I have done as much as I can to help
Rust upstream beyond their main target architectures. But there is only
so much energy that I can invest without being paid for that work. I
have definitely invested a lot of time and energy trying to improve
Rust. Luckily I have very fast hardware available so that building
Rust doesn't take too long.

>>> I don't, however, think it's reasonable to wait indefinitely.
>>
>> No one was saying that. But I think it's more reasonable to wait for
>> the Rust compiler to stabilize
> 
> Rust is stable. Thank you for your contributions helping it work on more
> architectures, but "does not have first-tier support for every
> architecture ever" is not a component of "stabilize".

We're talking in the context of Debian. What is not a tier I architecture
in Rust is a tier I architecture in Debian. That's the difference. It's
fine for Rust upstream to set these standards, but it's obvious that these
standards are in conflict with Debian's standards.

>> There is still no Rust-stable branch in sight which is
>> most certainly a requirement for Rust to be part of enterprise distributions.
> 
> This has certainly been discussed upstream, but in general, it's not
> obvious what this would gain over simply taking any stable release of
> Rust and packaging it.

Well, if the language continues to add features in new upstream versions,
there are certainly downstream users interested in using these features
which will eventually mean that adding package X to SLES will result in
someone having to backport a newer version of Rust which is not what
the maintenance teams like to see.

I have been involved in discussions at SUSE where a certain Python3 package
was needed to be introduced to SLE-11. In the end, it pulled in so many
new dependencies that the maintenance team had to discard the request simply
because too much of the Python3 baseline is missing in SLE-11. Luckily,
such transitions are rather rare in Python.

>> I know the QA processes associated for SLES to update packages in a release
>> version and I could imagine that it's not anything less involved for
>> RHEL or other enterprise distributions. It seems that Rust upstream has
>> not had any of the enterprise and long-term support distributions in
>> mind yet. They seem to assume that distributions can just always use the
>> latest upstream versions.
> 
> No, we assume that distributions can package Rust alongside Rust
> software and that the packaged software will work with the packaged
> Rust. There's no need to use "the latest upstream version"; you only
> need to update to a new upstream version of Rust if you update to a new
> upstream version of software written in Rust.

See above. As long as you keep on adding language features the moment
you release new versions of the compiler, there will be downstream
users using these features. If I remember correctly, Google for example
is very careful when it comes to adding new languages features in Go
exactly for this reason.

>>> If even more coordination had taken place than what already did,
>>> what would have been the expected outcome?
>>
>> A Rust compiler that doesn't regress every six weeks, maybe?
> 
> It's not reasonable to block the introduction of software written in
> Rust on some developer (not yet identified) taking the time to
> contribute the necessary infrastructure upstream to continually test
> multiple additional uncommon architectures. And that's what would be
> necessary.

Again, in the context of Debian, this poses a problem. If you as upstream
say that you don't care if Rust breaks on some of the Rust tier II architectures
that are release architectures in Debian, there will be a conflict. Either
Rust accepts more architectures as tier I or you convince Debian to
make anything but arm64 and x86_64 a release architectures. There is a
clear conflict of interest here which is, again, why I think it's a bad
idea to use Rust code in a core component like librsvg. This has been honestly
not carefully thought through and will most certainly cause some friction
in the future.

>>> precisely because if non-release architectures need to
>>> keep an outdated version while working on porting efforts, they'll
>>> automatically do so, and that shouldn't impede those architectures too
>>> much as long as other packages don't start depending specifically on
>>> functionality from the new librsvg. (And if packages do start having
>>> such dependencies, they'll get held back too.)
>>
>> Debian Ports doesn't support the cruft mechanism that DAK supports. We're
>> lucky that the librsvg-common package is of arch any, otherwise librsvg
>> would already been uninstallable in Debian Ports. So, this is just
>> pure luck. Please don't make such statements when you're not aware of
>> the differences between Debian's release and ports architectures.
> 
> Good to know, and sorry to hear that. Another reason why it doesn't seem
> particularly unreasonable to focus on release architectures, and treat
> others as "best effort".

Sure, I'm not arguing that. However, we still have the problem that we
have multiple architectures in Debian that Debian considers release
architectures which Rust upstream considers tier II only.

>>> Speaking with an upstream Rust hat on in addition to a
>>> Debian hat: what could Rust do to make life easier for porters?
>>
>> Please provide an actual stable version of the Rust compiler that
>> is supported in the long term and can be shipped by enterprise
>> distributions.
> 
> There's a stable version of the compiler every six weeks. Pick one and
> ship it.
> 
> If, instead of "stable", you mean "supported on other architectures",
> that's going to require upstream infrastructure to *test* those
> architectures on a regular basis.

With stable I mean that I can assume that Rust 1.X compiles the same code
as Rust 1.Y. I accept that Rust upstream thinks that this is a viable
model of developing the language and compiler, but I don't think this
is compatible with most downstream distributions and users. Distributions,
unless they are rolling release, usually evolve much slower. And the more
you are shifting into the enterprise field, the slower that speed is to
the point that you have distributions like RHEL or SLES which support
their software for well beyond 10 years.

>>> And what could Debian's *considerable* expertise in porting do to make that more
>>> sustainable upstream? (As an example, it might help if upstream Rust
>>> folks had access to machines for more architectures, though that's a
>>> side issue for having an LLVM port in the first place.)
>>
>> Debian Ports has worked closely with QEMU upstream to help make significant
>> improvements to that emulator. So, in most cases, Rust developers can just
>> use QEMU for the first porting efforts. But there are also porterboxes available
>> from gcc to which we from Debian Ports also have provided hardware, for example:
> 
> I'm more suggesting that if people want to see an architecture better
> supported, it needs to end up in at least tier 2 on
> https://forge.rust-lang.org/platform-support.html .

Yes, I'm aware of the tier model. I just think upstream should keep more
invasive changes for a 2.x version and not rewrite half of the compiler
every six weeks.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@xxxxxxxxxx
`. `'   Freie Universitaet Berlin - glaubitz@xxxxxxxxxxxxxxxxxxx
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913