[PATCH 0/2] Add librsvg-bootstrap

librsvg is an input for emacs, gtk+@2 and gtk+@3. With the rust inputs

this leads to (unknown) rust libraries causing the rebuild of over 3000

packages on core-updates-frozen. Rather than hunt them down I tracked

down the packages which would have many rebuilds and added a copy of

librsvg for them to use.

Efraim Flashner (2):

Add librsvg-bootstrap.

gnu: Use librsvg-bootstrap.

gnu/packages/emacs.scm | 2 +-

gnu/packages/gnome.scm | 23 +++++++++++++++++++++++

gnu/packages/gtk.scm | 4 ++--

3 files changed, 26 insertions(+), 3 deletions(-)

base-commit: 75b5ad6aa3b55b2cbd7f333411cbc9e21ab1e186

--

2.33.1

---

gnu/packages/gnome.scm | 23 +++++++++++++++++++++++

1 file changed, 23 insertions(+)

---

gnu/packages/emacs.scm | 2 +-

gnu/packages/gtk.scm | 4 ++--

2 files changed, 3 insertions(+), 3 deletions(-)

Hi,

Am Sonntag, den 14.11.2021, 16:07 +0200 schrieb Efraim Flashner:

In my opinion, one of the selling points of Guix is that of

bootstrappability. I don't think adding big blobs to Emacs of all

things is a great way of delivering on that promise. I think we ought

to rather "invest" in alternatives to Rust and Rust-locked libraries or

make Rust packaging itself sane (if it can at all).

I think librsvg is optional already and people who want to save on

compilation time can decide to replace it with e.g. GNU hello using the

--input option. In the similar case of mozjs, a replacement with

duktape is discussed on guix-devel, at least for polkit.

As a temporary resolution to the rebuild issue, we could pin the

dependencies of librsvg to some specific versions and only bump them

when something awful happens. I'm not sure whether librsvg exposes any

of the Rust nastiness to its dependencies, ideally hoping that it would

not.

WDYT?

On Sun, Nov 14, 2021 at 06:27:02PM +0100, Liliana Marie Prikler wrote:

It seems I was wrong about emacs; both emacs-minimal and emacs-no-x are

built without librsvg.

I don't believe librsvg exposes any rust-y stuff.

(ins)efraim@3900XT /tmp/librsvg-2.50.7$ ls vendor/ | wc -l

226

There are 226 crates that upstream bundles with their source. I suppose

we could pare it down to about 200 by careful pruning but it's part of

librsvg and not going away.

(ins)efraim@3900XT ~/workspace/guix-core-updates$ git grep \,librsvg | wc -l

103

I'm suggesting that for gtk+@2 and gtk+@3 we use the bundled crates and

for the other 101 packages we continue to use our current version, where

we replace all of the bundled crates with our own copies, which get

updated more often than librsvg does.

With our current rust tooling I don't think it'd be that easy to find

the ~226 crates that librsvg depends on, and it wouldn't be great to

lock them due to librsvg being an input for gtk2/3.

--

Efraim Flashner <efraim@flashner.co.il> ????? ?????

GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351

Confidentiality cannot be guaranteed on emails sent or received unencrypted

Hi,

Am Sonntag, den 14.11.2021, 20:07 +0200 schrieb Efraim Flashner:

That sounds like a good start for once.

Well, I'd suggest snippeting them away, but that's a different topic.

I'd hazard a guess that most if not all of these 103 packages are

themselves gtk-adjacent, so what really is the issue we're solving

here? What is the point of maintaining an extra version for 101 of

them when a potentially vulnerable GTK sits right next to them?

Said input exists due to gdk-pixbuf+svg, with the +svg part being

largely optional – the most common failure mode of it not being

included are broken button textures, which we could fix by pre-

rendering images with a suitable tool, such as inkscape. We could

easily do a minimal gtk[+]? without it.

As for the lock, why can't we? gtk+ is already core-updates material,

so it stands to reason that anything causing it to rebuild is too.

Rather than push down blobs to the users because we can't deal with

Rust, we should fix Rust or make it go away from the build.

WDYT?

Hi Efraim,

I had completely overlooked these patches, oops!

Efraim Flashner <efraim@flashner.co.il> skribis:

[...]

Yes, that’s a problem, though Liliana is right that bundling isn’t great

either.

I’m annoyed by this whole librsvg situation. On non-x86_64, we now

depend on librsvg 2.40, the old C version, and guess what, it just

works. That has me tempted to stick with 2.40 all along because these

Rust problems don’t seem to have a pleasant, or even an easy solution.

Now, using the proposed ‘librsvg-bootstrap’ in GTK+ looks like a lesser

evil.

Thoughts?

Ludo’.

On Mon, Dec 06, 2021 at 01:17:47PM +0100, Ludovic Courtès wrote:

Unbundling the rust crates is the right option, but not the easy option.

With the assumption that rust-libc-0.2 is in the graph for librsvg, we

add another copy named rust-libc-0.2.101 (the current version) and a

comment that it only gets adjusted on core-updates or that it causes

XXXX package rebuilds.

On a small tangent, the work I do sometimes to try to actually have a

dependency graph with the crates would only make these easier to find,

not actually address the issue here.

I'm not sure if it'd be better to mostly copy the packages with a new

name and keep the cargo-inputs or to actually adjust the

cargo-inputs->inputs and cargo-development-inputs->native-inputs so we

get the dependency graph from rust-libc-0.2.101 to librsvg. I'd like to

make the change but if we don't get the others changed then we

effectively really have two sets of rust crates.

If we have both cargo-inputs and inputs then the cargo-build-system

doesn't have issues with using either type with later packages, so that

might be the best option for now.

--

Efraim Flashner <efraim@flashner.co.il> ????? ?????

GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351

Confidentiality cannot be guaranteed on emails sent or received unencrypted

Hi Efraim,

Efraim Flashner <efraim@flashner.co.il> skribis:

Thinking out loud… would it work to change:

(arguments '(#:cargo-inputs X #:cargo-development-inputs Y))

to:

(native-inputs (map package-source Y))

(inputs (map package-source X))

?

Or am I just saying nonsense?

Thanks,

Ludo’.

On December 6, 2021 4:37:12 PM UTC, "Ludovic Courtès" <ludo@gnu.org> wrote:

Then we lose the transitive package sources, which is how we ended up where we are today.

I can go and change the cargo-build-system to use the skip-build flag in more phases to skip them when we aren't going to be building them anyway. No need to generate cargo checksums if we're not building I think.

--

Sent from my Android device with K-9 Mail. Please excuse my brevity.

Efraim Flashner <efraim@flashner.co.il> skribis:

[...]

[...]

True.

With the minimal changes to (guix build-system cargo) below, one can use

either the current style or pass “development inputs” as ‘native-inputs’

and other dependencies as ‘inputs’. Source transitivity is preserved

but you can write packages the normal way.

I modified some of the dependencies of librsvg to use

native-inputs/inputs and you can see when applying this part of the

patch that the librsvg derivation is unchanged. Good thing is that

‘guix graph’ and ‘guix refresh -l’ work for these packages.

Is this a direction we want to take?

If so, we can have ‘guix style’ automate transformations.

Thanks,

Ludo’.

Howdy!

Efraim Flashner <efraim@flashner.co.il> skribis:

[...]

Notice that the dependency cycle, as discussed on IRC, breaks things

like ‘guix show’ (?) and ‘guix graph’, but doesn’t break actual package

builds because it’s a <package> cycle that vanishes once packages are

lowered to bags and derivations.

Regardless, it would be nice not to have cycles in the first place.

[...]

What are the “changes to save previous crates for the next input”?

No no, it’s completely unrelated to the librsvg issue, which is why I

changed subject lines. :-) I think it’d be nice to have anyway.

OK.

[...]

Right. Support for #:cargo-development-inputs and #:cargo-inputs is

here so we could have a smooth “upgrade” without breaking compatibility.

Anyway, I think the priority is to get ‘core-updates-frozen’, which

probably involves either pinning librsvg dependencies or using the

bundled libraries as you showed at the beginning of this thread.

We can resume work on prettified Rust packages after that; it’ll be

useful to be able to use ‘guix refresh -l’.

Ludo’.

Hello!

For the record, this is a followup to Efraim’s proposal in

https://issues.guix.gnu.org/51845.

Efraim Flashner <efraim@flashner.co.il> skribis:

The advantage of this approach is that we could do it incrementally: we

could merge ‘core-updates-frozen’ today and just add pinned variants of

these 200+ crates as needed as time passes. The downside is that it’s a

lot of crates to take care of, and we might still accidentally overlook

seemingly innocuous crate upgrades that end up causing major rebuilds.

This option will involved a rebuild on x86_64, but the advantage is that

we’ll be safe going forward: we won’t accidentally cause world rebuilds

just because an obscure crate somewhere has been upgraded.

[...]

Same here; it’s not ideal, but it seems like the most reasonable

short-term option.

If there are no objections, I’d suggest that you go ahead with this

plan.

Thanks for keeping the ball rolling!

Ludo’.

Ludovic Courtès <ludo@gnu.org> writes:

I agree that 2b is the most sensible option in our current situation.

--

Ricardo

On Wednesday, December 8th, 2021 at 6:36 AM, Ricardo Wurmus <rekado@elephly.net> wrote:

As a developer and new-ish Guix user (and not someone familiar with rust), I am also in favor of 2b. Dealing with 200+ dependencies takes time, and core-updates-frozen has been on the cusp of merging for some time now.

I'd like to see c-u-f merged back into master sooner, as master lacks support for newer hardware while also getting regular package updates that are only periodically merged to core-updates-frozen. Even before the c-u-f sprint last month where I switched all of my systems to c-u-f, I had one system that was first a frankensteined master before finally managing to switch it to c-u-f, to pick up a newer mesa that wasn't unusably buggy on a Radeon RX 6700 XT.

Cheers,

Kaelyn

P.S. Regarding switching my systems, the only issue I've run into that hasn't been fixed is that tigervnc only recently added support for building against xorg-server 21.1.1, and the current tigervnc release (1.12.0) was released before that support landed. (I have a standalone package definition for building a recent git commit.)

On Wed, Dec 08, 2021 at 02:36:11PM +0000, Ricardo Wurmus wrote:

Patches pushed to core-updates-frozen. I added a TODO to fix the

situation.

Thanks for the input everyone.

--

Efraim Flashner <efraim@flashner.co.il> ????? ?????

GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351

Confidentiality cannot be guaranteed on emails sent or received unencrypted