ci: introduce rust toolchain #9791
Conversation
tobtoht
force-pushed
the
ci_rust
branch
2 times, most recently
from
276e9cc to
f55e777
Compare
.github/workflows/depends.yml
Outdated
| # We could update ld (a pain), update Ubuntu (requires a large amount of changes), or downgrade Rust | ||
| # We can't use Rust 1.70 due to LLVM 16 requiring ld >= 2.40 when building for Windows | ||
| run: | | ||
| curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y |
There was a problem hiding this comment.
Installing a script sourced from a serbian TLD without any validation in the depends environment makes me nervous. You may want to force a manual installation with a known checksum, as described here: https://rust-lang.github.io/rustup/installation/other.html#manual-installation.
There was a problem hiding this comment.
To be clear, I think country-level TLDs increase the risk (irrespective of country), but the methodological concern applies to any domain.
There was a problem hiding this comment.
Rustup installs unsigned binaries that rolled off some CI somewhere. For development builds, I think that's fine. For release builds, that's not okay. The CI jobs here are not release builds and anyone who wishes to run the artifacts should take proper precaution by running them in an isolated environment.
There was a problem hiding this comment.
The CI jobs here are not release builds and anyone who wishes to run the artifacts should take proper precaution by running them in an isolated environment.
I do not object to this policy, and I like the wording; perhaps you can post this exact sentence as a comment at the top of the file, so readers understand the workflow's aim.
Co-authored-by: Luke Parker <[email protected]>
|
@hinto-janai The CI runs were containerized in #9708 and #9784. The Ubuntu/Debian base images do not come with Rust/Cargo installed, hence the installation. |
No description provided.