Compare commits
5 commits
main
...
ryansquare
Author | SHA1 | Date | |
---|---|---|---|
b064b12625 | |||
845b74873e | |||
26dffa01c7 | |||
098232294b | |||
d8688e3fc8 |
3 changed files with 81 additions and 17 deletions
55
README.md
55
README.md
|
@ -178,30 +178,51 @@ seminal paper by Ken Thomson, [Reflections on Trusting Trust](https://www.cs.cmu
|
|||
|
||||
A comparison of `stagex` to other distros in some of the areas we care about:
|
||||
|
||||
| Distro | Containerized | Signatures | Libc | Bootstrapped | Reproducible | Rust Deps |
|
||||
|--------|---------------|------------|-------|--------------|--------------|-----------|
|
||||
| Stagex | Native | 2+ Human | Musl | Yes | Yes | 4 |
|
||||
| Guix | No | 1 Human | Glibc | Yes | Yes | 4 |
|
||||
| Nix | No | 1 Bot | Glibc | Partial | Mostly | 4 |
|
||||
| Debian | Adapted | 1 Human | Glibc | No | Partial | 232 |
|
||||
| Arch | Adapted | 1 Human | Glibc | No | Partial | 262 |
|
||||
| Fedora | Adapted | 1 Bot | Glibc | No | No | 166 |
|
||||
| Alpine | Adapted | None | Musl | No | No | 32 |
|
||||
| Distro | OCI Support | Package Strategy | Signatures | Libc | Bootstrapped | Reproducible | Rust Deps |
|
||||
|--------|-------------|------------------|------------|-------|--------------|---------------|-----------|
|
||||
| Stagex | Native | External | 2+ Human | Musl | Yes | Yes | 9 |
|
||||
| Guix | Exported | External | 1 Human | Glibc | Yes | Partial (90%) | 4 (Unconfirmed) |
|
||||
| Nix | Exported | External | 1 Bot | Glibc | Partial | Partial (95%) | 25 |
|
||||
| Debian | Published | Inline | 1 Human | Glibc | No | Partial (96%) | 231 |
|
||||
| Arch | Published | Inline | 1 Human | Glibc | No | Partial (90%) | 127 |
|
||||
| Fedora | Published | Inline | 1 Bot | Glibc | No | No | 167 |
|
||||
| Alpine | Published | Inline | None | Musl | No | No | 41 |
|
||||
|
||||
### Notes
|
||||
|
||||
- “Bootstrapped”: Can the entire distro be full-source-bootstrapped from Stage0
|
||||
- “Reproducible”: Is the entire distro reproducible bit-for-bit identically
|
||||
- “Rust Deps”: the number of total dependencies installed to use rustc
|
||||
- "OCI Support": Whether a distro is natively based around the composability
|
||||
and layering of Containerfiles ("native"), can be used to create an OCI
|
||||
or Docker container from its own package manager ("exported"), or has images
|
||||
published that can be used as the base for a Containerfile ("published").
|
||||
- "Package Strategy": Whether a distro separates the installation of software
|
||||
packages from the context assigned to building them
|
||||
- In StageX, Guix, and Nix, package management is declarative, and can be
|
||||
performed without a package manager in an execution context.
|
||||
- In Debian, Arch, Fedora, and Alpine, package managers are invokable
|
||||
command-line tools, with no native declarative management system.
|
||||
- "Bootstrapped": Can the entire distro be full-source-bootstrapped from Stage0
|
||||
- "Reproducible": Is the entire distro reproducible bit-for-bit identically
|
||||
- Statistics have been pulled from https://reproducible-builds.org/citests/
|
||||
- The statistic we care about the most is the distribution as a whole,
|
||||
meaning a combination of "core" packages as well as "extra" or
|
||||
"community". Multiple architectures, however, are not yet considered.
|
||||
- Fedora and Alpine were previously listed on the Reproducible Builds site,
|
||||
but their entries have not been maintained, and as such are marked not
|
||||
reproducible.
|
||||
- Arch Linux is currently out of date; as such, metrics have been pulled
|
||||
from their own site: https://reproducible.archlinux.org/
|
||||
- "Rust Deps": the number of total dependencies installed to use rustc
|
||||
- Rust is a worst case example for compiler deps and build complexity
|
||||
- It is kind of a nightmare most distros skip
|
||||
- See: [Guix documenting their process](https://guix.gnu.org/en/blog/2018/bootstrapping-rust/) (similar to ours)
|
||||
- Nix, guix, and our distro get away with only 4 deps because:
|
||||
- Rustc -does- need ~20 dependencies to build
|
||||
- The final resulting rust builds can run standalone
|
||||
- We only actually need musl libc, llvm, and gcc to build most projects
|
||||
- Nix, guix, and our distro get away with small dependency counts because:
|
||||
- Rustc _does_ need ~20 dependencies to build
|
||||
- These distributions can reduce initial package constraints to only a
|
||||
package manager and the required utilities
|
||||
- The numbers listed here were generated by installing Cargo on a Docker
|
||||
Hub container of the distro in question, via the "rust-deps" scripts.
|
||||
|
||||
### Signatures
|
||||
## Signatures
|
||||
|
||||
* Signatures are made by the PGP public keys in the "keys" directory
|
||||
* Signatures are made by any tool that implements "[Container Signature Format](https://github.com/containers/image/blob/main/docs/containers-signature.5.md)"
|
||||
|
|
35
src/rust-deps-stats/Containerfile
Normal file
35
src/rust-deps-stats/Containerfile
Normal file
|
@ -0,0 +1,35 @@
|
|||
# NOTE: This script does not make use of heredocs to ensure it can be run on
|
||||
# as many systems as possible. This is in contrast to the StageX project, which
|
||||
# requires containerd and Docker 26+
|
||||
|
||||
FROM debian:bookworm-slim AS debian-results
|
||||
RUN apt-get update && \
|
||||
apt-get install -y cargo rustc && \
|
||||
printf "DEPS (Debian): %s\n" $(dpkg --get-selections | wc -l) > /results.txt
|
||||
|
||||
FROM archlinux:base AS archlinux-results
|
||||
RUN pacman -Syu --noconfirm rust && \
|
||||
printf "DEPS (Arch Linux): %s\n" $(pacman -Q | wc -l) > /results.txt
|
||||
|
||||
FROM fedora:40 AS fedora-results
|
||||
# Yum prints a header, even when called with --quiet
|
||||
RUN yum install -y cargo && \
|
||||
printf "DEPS (Fedora): %s\n" $(yum list installed | tail -n +2 | wc -l) > /results.txt
|
||||
|
||||
FROM alpine:3 AS alpine-results
|
||||
RUN apk add cargo && \
|
||||
printf "DEPS (Alpine): %s\n" $(apk list --installed --quiet | wc -l) > /results.txt
|
||||
|
||||
# NOTE: Nix does not specify a generic 2 or 2.24, meaning it may become
|
||||
# out-of-date and result in errors.
|
||||
FROM nixos/nix:2.24.7 AS nix-results
|
||||
RUN get_deps='nix-store -q --requisites $(dirname $(dirname $(which cargo)))' && \
|
||||
printf "DEPS (Nix) %s\n" $(nix-shell -p cargo --run "$get_deps" | wc -l) > /results.txt
|
||||
|
||||
FROM debian:bookworm-slim AS results
|
||||
COPY --from=debian-results /results.txt /results-debian.txt
|
||||
COPY --from=archlinux-results /results.txt /results-archlinux.txt
|
||||
COPY --from=fedora-results /results.txt /results-fedora.txt
|
||||
COPY --from=alpine-results /results.txt /results-alpine.txt
|
||||
COPY --from=nix-results /results.txt /results-nix.txt
|
||||
RUN cat /results-*.txt | tee /results-total.txt
|
8
src/rust-deps-stats/rust-deps.sh
Normal file
8
src/rust-deps-stats/rust-deps.sh
Normal file
|
@ -0,0 +1,8 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
SCRIPTDIR="$(cd "$(dirname $0)"; pwd)"
|
||||
|
||||
docker build -t stagex-comparison-results -f "$SCRIPTDIR/Containerfile" "$SCRIPTDIR"
|
||||
docker run --rm stagex-comparison-results cat /results-total.txt
|
Loading…
Reference in a new issue