Skip to content

[MIR] RFC: Introduce "base-sets" for vendored dependencies #44

New issue
New issue
Open
Open
[MIR] RFC: Introduce "base-sets" for vendored dependencies#44
Labels
MIRFor the attention of the MIR teamhelp wantedExtra attention is needed
@s-makin

Description

@s-makin
s-makin
opened on Jun 5, 2025

This issue was originally filed by @slyon in the MIR repo

Request

Modern languages like Rust or Golang make heavy use of vendoring for their dependencies, therefore we cannot easily link applications against libraries from the Ubuntu archive, which are supported and covered by the security team. (cpaelzer#3)

Different applications might pull in different versions of the same vendored dependency, which need to be tracked and updated individually (https://wiki.ubuntu.com/RustCodeInMain).

I wonder if we could define some kind of base-sets ("base-crates"/"base-packages") similar to the nature of "base-snaps". Those would describe a bundle of specific crates/packages/dependencies using specific versions and might be uploaded to crates.io / pkg.go.dev or implemented as a .deb package in the Ubuntu archive and maintained & supported by the corresponding toolchain team / security team.

For Rust one "base-set"/"base-crate" might for example contain dependencies to specific versions of very common crates, such as:

* [clap](https://crates.io/crates/clap)
  A simple to use, efficient, and full-featured Command Line Argument Parser

* [curl](https://crates.io/crates/curl)
  Rust bindings to libcurl for making HTTP requests

* [libc](https://crates.io/crates/libc)
  Raw FFI bindings to platform libraries like libc.

* [openssl](https://crates.io/crates/openssl)
  OpenSSL bindings

* [serde](https://crates.io/crates/serde)
  A generic serialization/deserialization framework

Those dependencies (and probably more) are heavily used by many applications. When packaging Rust/Golang applications for "main" we could change their dependencies to make use of a base-set supported by Canonical, which should reduce the vendoring burden by a lot, as only additional dependencies (not part of the base-set in use) would need to be tracked individually.

I'd like to gauge your input on this thought. Also CC @liushuyu @zhsj @schopin-pro @samkamer

TODO:

* [ ]  Update the "Rust code in main" section of `vendoring/Rust.md`, to drop the recommendation to use vendoring for Rust packages, see: [Import Rust vendoring document #66 (comment)](https://github.com/canonical/ubuntu-mir/pull/66#discussion_r1742206052)

Replies in thread

(Quite a long discussion, please refer to the original thread)

Metadata

Metadata

Assignees

No one assigned

    Labels

    MIRFor the attention of the MIR teamhelp wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions