It is quite common for big projects with Rust code to vendor their dependencies. rust2rpm should be able to scan for vendored dependencies and generate Provides: bundled(crate(foo)) = 1.2.3 lines for the bundled dependencies.
rust2rpm
Provides: bundled(crate(foo)) = 1.2.3
Note that while it's generally in a vendor subdirectory in the same directory as Cargo.toml, that isn't necessarily guaranteed. But at least at a first pass, we can start here...
vendor
Cargo.toml
(10:55:58 PM) jistone: ignatenkobrain, won't it be hard to tell what's actually shipped? I don't think you need bundled() for transient build artifacts
The only Fedora packages that build from vendored Rust sources (firefox, 389-ds, etc.) have either already developed their own scripts to generate Provides: bundled(crate(*)) = x.y.z for their bundled crates, or they already don't care about packaging guidelines.
Provides: bundled(crate(*)) = x.y.z
So I think we can close this ticket.
Contrary to my previous comment, I've now implemented an RPM generator for bundled Provides. Using it involves two simple steps:
%build
%cargo_vendor_manifest
%files
%license cargo-vendor.txt
The %cargo_vendor_manifest macro uses the same logic as the cargo vendor command, i.e. contents of the directory created by cargo vendor should match the output of %cargo_vendor_manifest.
cargo vendor
This includes all vendored dependencies (i.e. also build-only dependencies), since we also need to keep track of those - even a build-only dependency can have a security vulnerability, for example, if a crate that is used to generate code (proc macro, build script dependency, etc.) produces bad code.
The new macros will be available in rust-packaging v25 and need cargo2rpm v0.1.8.
Metadata Update from @decathorpe: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.