Investigate packaging Rust crates separately

[emilazy]

Right now, every Rust package is an ecosystem unto itself, with dependency versions being selected from each package’s upstream Cargo.lock file (or a vendored one if none is present). This stands in contrast to how many language ecosystems in Nixpkgs work, and has caused us problems:

1. Cargo.lock considered harmful #327063 – keeping Cargo.lock files in the repository bloats its size, but gives us more static insight into the dependencies used by packages and avoids hacky FOD duplication.

2. Rust 1.80.0 breaks some packages #332957 – in an ideal world, we could bump time once to the fixed version, rather than playing whack‐a‐mole with all the broken packages.

3. This hasn’t happened yet, but I’m reading dealing with all the pinned ffmpeg-sys-next dependencies when I upgrade the default FFmpeg to 7. In general, it’s just pretty painful for us to patch Rust dependencies in a way that it isn’t for many other language ecosystems.

I don’t think it’s practical for us to manually maintain a Rust package set like the Python one. However, I think we could do better here. The idea is that we could essentially have one big Cargo.lock file that pins versions of all crates used across the tree, and abandon both cargoHash and vendored Cargo.lock files. The hope is that this would give us the static advantages of vendored Cargo.lock files, let us reduce the number of versions of the same packages that we ship, and do treewide bumps of package versions with much less pain, while (I hope) still taking up less space in the repository than the status quo.

It wouldn’t be feasible to maintain exactly one version of every package. Many popular packages have incompatible major versions, and we may not want to keep a package exclusively on an older version just for some outdated software that pins an older version than most software is compatible with. However, I suspect we could vastly reduce the proliferation of alternate crate versions across the tree.

A downside would be that we would no longer be using the “known good” versions of packages from our various upstreams. For some packages with incompletely‐declared dependency ranges, this could result in broken builds or functionality. In those cases, we would still have the option to vendor a package‐specific Cargo.lock file. Note that this is how it works in most Linux distributions, so although we might package more Rust software than the average Linux distribution, these challenges aren’t unique to us.

This would not necessarily have to literally be one huge Cargo.lock file; we just need something we can turn into Cargo.lock files or a Cargo source to replace crates.io, as suggested in #327063 (comment). As @alyssais pointed out in the issue I linked, we don’t need the dependencies array, and as I pointed out, one single file is conflict‐prone. I suspect we would want something like a JSON or TOML‐based format with one file per package (or package version). That should be comparable in size and organization to our other language package sets, and minimize conflicts.

There are unsolved problems here, e.g.:

1. We probably don’t want every bump of any Rust library to rebuild every Rust application. We’d need to figure out some way to narrow down the rebuilds to what’s required by each package. The best option I can currently think of is adapting the cargoHash‐style FOD stuff to the task of selecting the subset of our One Big Lock File that is present in the upstream Cargo.lock/Cargo.toml somehow. For instance, it may be acceptable if every crate version bump rebuilds Rust derivations across the tree that check against the src’s Cargo.toml and either succeed because the applicable versions remained constant, or fail because the hash of those versions no longer matches. We just need to be able to short‐circuit the actual builds.

2. We’d need automation to manage the One Big Lock File. In particular, we’d want to be able to tell when a dependency bump is compatible with the version bounds in various packages so that we can decide between bumping vs. adding a new available version, and keep a set of crates that is consistent with the things we package. This could probably be as simple as just automating and unconditionally accepting SemVer‐compatible bumps, dealing with any fallout by hand, and trying SemVer‐incompatible bumps when we feel brave.

Ultimately, though, I think that the current status quo is causing a lot of problems, and that if we can successfully pursue this proposal, we’ll hopefully make all the groups here happier: the people who maintain Rust packages, the people who worry about the repository size and evaluation performance of Nixpkgs, and the people who worry about losing Nix’s static guarantees.

cc @matklad who suggested the source approach

cc @alyssais who said that we used to do this but stopped

cc @Atemu who opened the issue about Cargo.lock

[emilazy]

I also forgot to mention that we could maybe share more actual crate builds between packages if we did this, though I don’t know how much that’d actually help or how tricky it’d be to set up the machinery for it.

[alyssais]

My idea would be to have Rust programs depend on packages containing source code for their dependencies, like "time_0_3". We'd have one package for each semver boundary, so "time_0_3", "time_0_4", "time_1", etc. cargoSetupHook would learn to assemble all Rust source inputs into a vendor directory. We'd have a script that, given a package for Rust program, generated the required packages, and output the list of dependencies to paste into the expression for the Rust program. The source packages could have an updateScript, so updating Rust packages could be taken care of via r-ryantm.

I think this would be relatively straightforward to implement, and it's attractive because it makes Rust dependencies feel as much like normal dependencies as possible, even though they would just be source packages under the hood (because Cargo forces this).

[emilazy]

If we could make a scheme like that work, it’d be fantastic. I don’t want to add more generated Nix code in‐tree, or hand‐written boilerplate, than is necessary, though. If we can generate non‐code spec files for packages that Nix code turns into packages that work like that, that’d be fantastic. For instance, we could have a generator that turns a hand‐written src.nix into a rust-package.toml that lists its direct Cargo.toml dependencies and other information we might need, and a package.nix that just does { mkRustPackage }: mkRustPackage ./src.nix ./rust-package.toml, where mkRustPackage resolves those dependencies to the actual packages.

[Mic92]

Rather than one big lock file, sharding crates in smaller files by some name prefix make be both easier review (i.e. editors and github ui doesn't go mad because of the size) and more efficient to store in git (I remember @alyssais talking about some in-efficiencies with all-packages.nix).

[emilazy]

Right; my proposal in the original post (which I realize is tl;dr) was actually one file per package, to avoid Git conflicts. It’s only conceptually one big Cargo.lock :)

[eclairevoyant]

more efficient to store in git (I remember @alyssais talking about some in-efficiencies with all-packages.nix).

Specifically git stores files, not diffs/changes, so anything that reduces the filesize in a given commit will help massively. (Identical files are deduped.)

[Atemu]

Git is a lot smarter than that; files that are only slightly different are also deduped. In fact quite efficiently so: I have yet to find a more efficient storage format than a bare git repository for a bunch of large text files that differ slightly in a bunch of places.

Having one big file is actually quite efficient. I have not measured it but I'd expect the per-file overhead (obj ID, file name, mode) and lack of huffman coding between the files' contents to be quite a lot less efficient than One Big File.

[emilazy]

I think you might both be right and it depends on whether the refs have been packed or not yet? But I don’t know that much about Git’s storage layer, so my knowledge might be terribly out of date.

One single file doesn’t seem good for conflict handling, anyway. I think one file per package would be fine if it’s deduplicated across the whole tree, because after all Nixpkgs already consists basically entirely of files for individual packages.

The more I think about (my version of) @alyssais’ proposal the more I am tempted to try and implement it. It would make things very normal. The only question is whether it can be automated enough to be comparably seamless to the status quo.

[Atemu]

You can basically always expect git objects to be packed when size is of importance.

As for conflict handling: I don't see why it'd be a factor as the file should basically never be edited by hand, always by automation. We don't worry about conflicts in i.e. the hackage packages file either.

[emilazy]

It’d be edited by automation in independent PRs pretty frequently as crates are added to satisfy new dependencies in packages. That results in a lot of opportunity for conflicts because of mismatching diff context.

Anyway, the main problem is that we need to avoid changes to the locked package set rebuilding all Rust crates, which is hard without CA derivations. Alyssa’s approach avoids that in a very simple way.

[MostAwesomeDude]

(Note: git does not deduplicate within blob objects. A pack of objects may have cross-object deduplication performed by compression, but this isn't part of the object model itself. Source: I recently read through stuff like upstream docs on the object model while implementing tools which don't use the porcelain.)