Nix Rust

Sender	Message	Time
22 Nov 2025
	raizo joined the room.	12:27:32
	@cuer:envs.net removed their profile picture.	15:09:23
	@cuer:envs.net removed their display name Cuer.	15:09:26
	@cuer:envs.net left the room.	15:09:28
24 Nov 2025
rosssmyth	Some experimenting I was doing today https://github.com/RossSmyth/fetch-cargo-index	01:02:15
niklaskorz	so how big is the generated index? 😅	10:50:28
Acid Bong	it'd be more convenient if Crates themselves forbade downloading insecure libraries	11:08:36
	amadaluzia changed their display name from amadaluzia (🇹🇷 til 25th) to amadaluzia.	12:57:05
dish [Fox/It/She]	In reply to @niklaskorz:matrix.org so how big is the generated index? 😅 at the end of the readme, says about 50MB x_x	14:32:42
niklaskorz	well maybe we shouldn't include the whole cargo-verse	14:43:56
dish [Fox/It/She]	if we try to do filtering we end up like nodePackages	14:44:26
dish [Fox/It/She]	which is to say, not good	14:44:37
rosssmyth	Yeah unfortunately I'm unsure of a much better way. Only including deps that Nixpkgs requireds in a json file quickly would become similar to nodePackages, where every time a crate is added it is required to modify a file which results in merge conflict hell usually, especially if it is minimized to reduce storage space requirements	17:33:00
rosssmyth	The other idea would be to have a package set that is similar to `all-packages`, which I think tooling could be made that wouldn't make it too bad	17:33:35
rosssmyth	That's basically yanked packages, which that prototype tool already filters out automatically. But unfortunately yanked packages cannot be relied on.	17:34:37
rosssmyth	* That's basically yanked packages, which that prototype tool already filters out automatically. But unfortunately yanked packages cannot be relied on for security.	17:34:48
rosssmyth	Since it could be an unmaintained package, so the author would not yanked it	17:35:13
rosssmyth	* Since it could be an unmaintained package, so the author would not yank it	17:35:17
rosssmyth	I have another PR up that if combined with yanked package elimiation would catch CVEs https://github.com/NixOS/nixpkgs/pull/458881	17:36:16
rosssmyth	* I have another PR up that would catch CVEs https://github.com/NixOS/nixpkgs/pull/458881	17:36:25
niklaskorz	oh that's amazing!	18:16:46
25 Nov 2025
WeetHet	Why not do it like this and collect them using nix? use rayon::iter::ParallelIterator; #[allow(dead_code)] #[derive(serde::Serialize)] struct CrateJson { name: String, version: String, checksum: [u8; 32], deps: Vec<String>, } fn main() { let index = crates_index::GitIndex::with_path("../index", crates_index::git::URL).unwrap(); println!("Processing crates..."); index .crates_parallel() .filter_map(\|c\| c.ok()) .for_each(\|c\| { println!("Processing crate: {}", c.name()); let name = c.name(); let versions = c.versions(); let mut major_versions: std::collections::HashMap<u64, Vec<&crates_index::Version>> = std::collections::HashMap::new(); for v in versions { if let Ok(semver) = semver::Version::parse(v.version()) { if semver.major == 0 { let key = semver.minor + 1000000; major_versions.entry(key).or_default().push(v); } else { major_versions.entry(semver.major).or_default().push(v); } } } for (_, mut group) in major_versions { group.sort_by(\|a, b\| { let va = semver::Version::parse(a.version()).unwrap(); let vb = semver::Version::parse(b.version()).unwrap(); vb.cmp(&va) }); if let Some(latest) = group.first() { let semver = semver::Version::parse(latest.version()).unwrap(); let major_ver = if semver.major == 0 { 0 } else { semver.major }; let prefix = if name.len() >= 2 { &name[..2] } else { name }; let dir_path = format!("rust-crates/by-name/{}/{}", prefix, name); std::fs::create_dir_all(&dir_path).unwrap(); let file_path = format!("{}/v{}.json", dir_path, major_ver); let crate_json = CrateJson { name: name.to_string(), version: latest.version().to_string(), checksum: *latest.checksum(), deps: latest .dependencies() .iter() .map(\|d\| d.name().to_string()) .collect(), }; let json = serde_json::to_string(&crate_json).unwrap(); std::fs::write(&file_path, json).unwrap(); } } }); }	14:10:21
Acid Bong	just realized I'm running Hacksaw with xcb-0.9, which contains a CVE 💀 i hope bumping it to 1.6 won't break anything	14:13:02
rosssmyth	Yes of course there is more processing to do. This was just an idea I had and I wanted to see how large the JSON file would actually be. This doesn't actually change anything.	19:05:27
rosssmyth	* Yes of course there is more processing to do. This was just an idea I had and I wanted to see how large the JSON file would actually be. This doesn't actually fix anything.	19:12:04
WeetHet	This should help with merge conflicts I think, no?	19:56:20
rosssmyth	The idea of processing all the crates into one file is to eliminate merge conflicts from being possible in the first place	19:58:38
rosssmyth	Since the maintainer(s) of the package set would just regenerate the entire file every week or so	19:59:03
rosssmyth	Another idea I have been ruminating upon is something like: Create a package set like `rustCrates`, but do not populate it with anything initially Create builders similar to the above idea (add the source, add a symlink builder for cargo-vendor) When someone wants to add a Rust package, a new process is used: Use a tool that processes lock files, and checks if the required crates are in the package set If not, it emits the latest semver-compatible to a `by-name`-like directory tree using the crates.to name Each ~week a program similar to the one I made is ran: For each crate in the package set, update each semver to the latest-compatible one, should be relatively fast since no downloading is required, the version is in the index, and the required hash is in the index Write the latest semver-compatible-version and hash in the files Check the rustsec db as well, and if crates are yanked. For program dependencies in which the semver that is required is already in the pkgset, they do not touch the package set. If they need to wait a ~week for the next version to the bumped to that is fine.	20:09:31
WeetHet	Yeah that's basically what I wanted to achieve with my script	21:07:07

raizo joined the room.

12:27:32

@cuer:envs.net removed their profile picture.

15:09:23

@cuer:envs.net removed their display name Cuer.

15:09:26

@cuer:envs.net left the room.

15:09:28

rosssmyth

Some experimenting I was doing today https://github.com/RossSmyth/fetch-cargo-index

01:02:15

niklaskorz

so how big is the generated index? 😅

10:50:28

Acid Bong

it'd be more convenient if Crates themselves forbade downloading insecure libraries

11:08:36

amadaluzia changed their display name from amadaluzia (🇹🇷 til 25th) to amadaluzia.

12:57:05

dish [Fox/It/She]

In reply to @niklaskorz:matrix.org
so how big is the generated index? 😅

at the end of the readme, says about 50MB x_x

14:32:42

niklaskorz

well maybe we shouldn't include the whole cargo-verse

14:43:56

dish [Fox/It/She]

if we try to do filtering we end up like nodePackages

14:44:26

dish [Fox/It/She]

which is to say, not good

14:44:37

rosssmyth

Yeah unfortunately I'm unsure of a much better way. Only including deps that Nixpkgs requireds in a json file quickly would become similar to nodePackages, where every time a crate is added it is required to modify a file which results in merge conflict hell usually, especially if it is minimized to reduce storage space requirements

17:33:00

rosssmyth

The other idea would be to have a package set that is similar to all-packages, which I think tooling could be made that wouldn't make it too bad

17:33:35

rosssmyth

That's basically yanked packages, which that prototype tool already filters out automatically. But unfortunately yanked packages cannot be relied on.

17:34:37

rosssmyth

* That's basically yanked packages, which that prototype tool already filters out automatically. But unfortunately yanked packages cannot be relied on for security.

17:34:48

rosssmyth

Since it could be an unmaintained package, so the author would not yanked it

17:35:13

rosssmyth

* Since it could be an unmaintained package, so the author would not yank it

17:35:17

rosssmyth

I have another PR up that if combined with yanked package elimiation would catch CVEs https://github.com/NixOS/nixpkgs/pull/458881

17:36:16

rosssmyth

* I have another PR up that would catch CVEs https://github.com/NixOS/nixpkgs/pull/458881

oh that's amazing!

Why not do it like this and collect them using nix?

use rayon::iter::ParallelIterator;

#[allow(dead_code)]
#[derive(serde::Serialize)]
struct CrateJson {
    name: String,
    version: String,
    checksum: [u8; 32],
    deps: Vec<String>,
}

fn main() {
    let index = crates_index::GitIndex::with_path("../index", crates_index::git::URL).unwrap();

    println!("Processing crates...");
    index
        .crates_parallel()
        .filter_map(|c| c.ok())
        .for_each(|c| {
            println!("Processing crate: {}", c.name());

            let name = c.name();
            let versions = c.versions();

            let mut major_versions: std::collections::HashMap<u64, Vec<&crates_index::Version>> =
                std::collections::HashMap::new();

            for v in versions {
                if let Ok(semver) = semver::Version::parse(v.version()) {
                    if semver.major == 0 {
                        let key = semver.minor + 1000000;
                        major_versions.entry(key).or_default().push(v);
                    } else {
                        major_versions.entry(semver.major).or_default().push(v);
                    }
                }
            }

            for (_, mut group) in major_versions {
                group.sort_by(|a, b| {
                    let va = semver::Version::parse(a.version()).unwrap();
                    let vb = semver::Version::parse(b.version()).unwrap();
                    vb.cmp(&va)
                });

                if let Some(latest) = group.first() {
                    let semver = semver::Version::parse(latest.version()).unwrap();
                    let major_ver = if semver.major == 0 { 0 } else { semver.major };

                    let prefix = if name.len() >= 2 { &name[..2] } else { name };

                    let dir_path = format!("rust-crates/by-name/{}/{}", prefix, name);
                    std::fs::create_dir_all(&dir_path).unwrap();

                    let file_path = format!("{}/v{}.json", dir_path, major_ver);

                    let crate_json = CrateJson {
                        name: name.to_string(),
                        version: latest.version().to_string(),
                        checksum: *latest.checksum(),
                        deps: latest
                            .dependencies()
                            .iter()
                            .map(|d| d.name().to_string())
                            .collect(),
                    };

                    let json = serde_json::to_string(&crate_json).unwrap();
                    std::fs::write(&file_path, json).unwrap();
                }
            }
        });
}

14:10:21

Acid Bong

just realized I'm running Hacksaw with xcb-0.9, which contains a CVE 💀 i hope bumping it to 1.6 won't break anything

14:13:02

rosssmyth

Yes of course there is more processing to do. This was just an idea I had and I wanted to see how large the JSON file would actually be. This doesn't actually change anything.

19:05:27

rosssmyth

* Yes of course there is more processing to do. This was just an idea I had and I wanted to see how large the JSON file would actually be. This doesn't actually fix anything.

19:12:04

WeetHet

This should help with merge conflicts I think, no?

19:56:20

rosssmyth

The idea of processing all the crates into one file is to eliminate merge conflicts from being possible in the first place

19:58:38

rosssmyth

Since the maintainer(s) of the package set would just regenerate the entire file every week or so

19:59:03

rosssmyth

Another idea I have been ruminating upon is something like:

Create a package set like rustCrates, but do not populate it with anything initially
Create builders similar to the above idea (add the source, add a symlink builder for cargo-vendor)
When someone wants to add a Rust package, a new process is used:
1. Use a tool that processes lock files, and checks if the required crates are in the package set
2. If not, it emits the latest semver-compatible to a by-name-like directory tree using the crates.to name
Each ~week a program similar to the one I made is ran:
1. For each crate in the package set, update each semver to the latest-compatible one, should be relatively fast since no downloading is required, the version is in the index, and the required hash is in the index
2. Write the latest semver-compatible-version and hash in the files
3. Check the rustsec db as well, and if crates are yanked.
For program dependencies in which the semver that is required is already in the pkgset, they do not touch the package set. If they need to wait a ~week for the next version to the bumped to that is fine.

20:09:31

WeetHet

Yeah that's basically what I wanted to achieve with my script

21:07:07

Load older messages

There are no newer messages yet.

	Nix Rust	639 Members
	Rust	147 Servers