| 20 Nov 2025 |
 dotlambda | In reply to @robert:funklause.de
I would hope that adding something like pkgsCross.wasi32.buildPackages.rustc does the trick Sadly, it fails to build with a complaint about missing a "wasi-root" key in bootstrap.toml | 22:09:51 |
| 21 Nov 2025 |
|  Diogo Correia joined the room. | 09:01:19 |
| Diogo Correia | Some progress on this over at https://github.com/NixOS/nixpkgs/pull/463720 | 11:21:35 |
|  amadaluzia changed their display name from amadaluzia to amadaluzia (🇹🇷 til 25th). | 14:45:43 |
|  isabel changed their profile picture. | 18:14:28 |
|  @some1deleted:matrix.org left the room. | 21:23:24 |
| 22 Nov 2025 |
|  raizo joined the room. | 12:27:32 |
|  @cuer:envs.net removed their profile picture. | 15:09:23 |
| @cuer:envs.net removed their display name Cuer. | 15:09:26 |
| @cuer:envs.net left the room. | 15:09:28 |
| 24 Nov 2025 |
 rosssmyth | Some experimenting I was doing today
https://github.com/RossSmyth/fetch-cargo-index | 01:02:15 |
 niklaskorz | so how big is the generated index? 😅 | 10:50:28 |
 Acid Bong | it'd be more convenient if Crates themselves forbade downloading insecure libraries | 11:08:36 |
| amadaluzia changed their display name from amadaluzia (🇹🇷 til 25th) to amadaluzia. | 12:57:05 |
 dish [Fox/It/She] | In reply to @niklaskorz:matrix.org
so how big is the generated index? 😅 at the end of the readme, says about 50MB x_x | 14:32:42 |
| niklaskorz | well maybe we shouldn't include the whole cargo-verse | 14:43:56 |
| dish [Fox/It/She] | if we try to do filtering we end up like nodePackages | 14:44:26 |
| dish [Fox/It/She] | which is to say, not good | 14:44:37 |
| rosssmyth | Yeah unfortunately I'm unsure of a much better way.
Only including deps that Nixpkgs requireds in a json file quickly would become similar to nodePackages, where every time a crate is added it is required to modify a file which results in merge conflict hell usually, especially if it is minimized to reduce storage space requirements | 17:33:00 |
| rosssmyth | The other idea would be to have a package set that is similar to all-packages, which I think tooling could be made that wouldn't make it too bad | 17:33:35 |
| rosssmyth | That's basically yanked packages, which that prototype tool already filters out automatically. But unfortunately yanked packages cannot be relied on. | 17:34:37 |
| rosssmyth | * That's basically yanked packages, which that prototype tool already filters out automatically. But unfortunately yanked packages cannot be relied on for security. | 17:34:48 |
| rosssmyth | Since it could be an unmaintained package, so the author would not yanked it | 17:35:13 |
| rosssmyth | * Since it could be an unmaintained package, so the author would not yank it | 17:35:17 |
| rosssmyth | I have another PR up that if combined with yanked package elimiation would catch CVEs
https://github.com/NixOS/nixpkgs/pull/458881 | 17:36:16 |
| rosssmyth | * I have another PR up that would catch CVEs
https://github.com/NixOS/nixpkgs/pull/458881 | 17:36:25 |
| niklaskorz | oh that's amazing! | 18:16:46 |
| 25 Nov 2025 |
 WeetHet | Why not do it like this and collect them using nix?
use rayon::iter::ParallelIterator;
#[allow(dead_code)]
#[derive(serde::Serialize)]
struct CrateJson {
name: String,
version: String,
checksum: [u8; 32],
deps: Vec<String>,
}
fn main() {
let index = crates_index::GitIndex::with_path("../index", crates_index::git::URL).unwrap();
println!("Processing crates...");
index
.crates_parallel()
.filter_map(|c| c.ok())
.for_each(|c| {
println!("Processing crate: {}", c.name());
let name = c.name();
let versions = c.versions();
let mut major_versions: std::collections::HashMap<u64, Vec<&crates_index::Version>> =
std::collections::HashMap::new();
for v in versions {
if let Ok(semver) = semver::Version::parse(v.version()) {
if semver.major == 0 {
let key = semver.minor + 1000000;
major_versions.entry(key).or_default().push(v);
} else {
major_versions.entry(semver.major).or_default().push(v);
}
}
}
for (_, mut group) in major_versions {
group.sort_by(|a, b| {
let va = semver::Version::parse(a.version()).unwrap();
let vb = semver::Version::parse(b.version()).unwrap();
vb.cmp(&va)
});
if let Some(latest) = group.first() {
let semver = semver::Version::parse(latest.version()).unwrap();
let major_ver = if semver.major == 0 { 0 } else { semver.major };
let prefix = if name.len() >= 2 { &name[..2] } else { name };
let dir_path = format!("rust-crates/by-name/{}/{}", prefix, name);
std::fs::create_dir_all(&dir_path).unwrap();
let file_path = format!("{}/v{}.json", dir_path, major_ver);
let crate_json = CrateJson {
name: name.to_string(),
version: latest.version().to_string(),
checksum: *latest.checksum(),
deps: latest
.dependencies()
.iter()
.map(|d| d.name().to_string())
.collect(),
};
let json = serde_json::to_string(&crate_json).unwrap();
std::fs::write(&file_path, json).unwrap();
}
}
});
}
| 14:10:21 |
| Acid Bong | just realized I'm running Hacksaw with xcb-0.9, which contains a CVE 💀 i hope bumping it to 1.6 won't break anything | 14:13:02 |
| rosssmyth | Yes of course there is more processing to do. This was just an idea I had and I wanted to see how large the JSON file would actually be. This doesn't actually change anything. | 19:05:27 |
