cargo-quickinstall: Problems with dynamically linked binaries (e.g. no OpenSSL 3 compatibilty)
Some of the newer OSes (notably Ubuntu 22.04 LTS Jammy Jellyfish) only ship with OpenSSL 3.0 and do not have an OpenSSL 1.1 package. This results in an error when trying to run the executable built by this project as Ubuntu 20.04 which the executables here are built with ships with OpenSSL 1.1:
/home/ubuntu/.cargo/bin/cargo-install-update: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
This is problematic because different OSes will have different versions of libraries available. I feel like linking more things statically would be helpful here. To allow to support many currently used operating systems, it probably would make sense to limit the number of libraries that you link against dynamically.
For starters, statically linking OpenSSL would help with a bunch of packages already. This isn’t necessarily that easy since you would need a static build of OpenSSL but I think it might be achievable by either building a custom Docker image with a static OpenSSL build (and other static libs in the future) or using some existing work such as:
- https://github.com/emk/rust-musl-builder
- https://github.com/clux/muslrust
- https://github.com/golddranks/rust_musl_docker
All of these are musl-based as statically linking with glibc is usually advised against because of NSS issues and licensing.
I’d like to also mention Python’s manylinux images as the Python packaging community seems to have solved this problem of supporting mainstream distros with a single build: https://peps.python.org/pep-0600/#core-definition They approached this problem a bit differently and the specification allows you to dynamically link against glibc as well as any dynamic libraries that are available in ALL mainstream distros with that (or newer) glibc version. Anything else still would need to be statically linked. Considering that you can’t really give separate builds for people with different glibc versions like Python does, you would presumably have to choose a single minimum glibc version for which you want to build. Maybe it’s not that great of an idea for solving this issue but I wanted to at least mention how the Python packaging community approached it. The upside of this would be that you would still be able to build against glibc and just would have to limit yourself to only dynamically linking glibc and the few libraries that are available in ALL mainstream distros with that minimum glibc version.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 18 (12 by maintainers)
I resisted this idea for ages, to limit the scope of
cargo-quickinstall(and to avoid having to re-build my archive of packages with whatever new scheme I pick). Maybe it is worth doing though, because it’s our top issue.Interestingly,
cargo installwill let us specify features of transitive dependencies, like this:If you name a crate that isn’t in the dependency tree, you get an error back almost immediately.
If all of our bug reports are currently about openssl then we could just try compiling with
--features=openssl-sys/vendoredenabled and then fall back to installing without that flag when it fails.In theory, if we end up with a bunch of packages that are similar to openssl then we could tee stderr to a file and look for the
```does not have a dependency named `aaaa````
error message, to remove that package from the list.
We can deal with that later though.
(Annoyingly, the
openssl-sys?/vendoredsyntax from https://doc.rust-lang.org/cargo/reference/features.html#dependency-features still fails if openssl-sys is not a dep. Maybe we could propose fixing that upstream?)