Re: [RFC PATCH v3 1/3] scripts: add kconfirm

Next message: Shrikanth Hegde: "Re: [PATCH 0/3] powerpc: fix preempt_count imbalances in perf and kexec paths"
Previous message: Marco Scardovi (scardracs): "[PATCH 02/12] gpiolib: acpi: Modernize string parsing in quirks layer"
In reply to: Miguel Ojeda: "Re: [RFC PATCH v3 1/3] scripts: add kconfirm"
Next in thread: Julian Braha: "Re: [RFC PATCH v3 1/3] scripts: add kconfirm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnd Bergmann

Date: Mon May 18 2026 - 04:09:08 EST

On Mon, May 18, 2026, at 00:53, Miguel Ojeda wrote:
> On Sun, May 17, 2026 at 10:25 PM Demi Marie Obenour
> <demiobenour@xxxxxxxxx> wrote:
>>
>> I was hoping for Linux to avoid the Rust trend of downloading tons
>> of third-party crates, with all the supply-chain risks that entails.
>
> I completely agree -- it is why I said a well-known, vetted set of crates.
>
> That is, we should decide on e.g. a single CLI arg parser, a single
> logger, etc. for most of our tools, and ideally they should be
> well-known crates (ideally already trusted via use in the compiler
> itself).
>
> Moreover, they should be pinned with `--locked` or similar (like we
> already recommend for `bindgen-cli`), so that we only ever use
> something that matches the hash in the lockfile that would be
> committed in the tree.

What about dependencies that are normally shipped by the distros
along with the rust compiler? Would it be possible to allow a
range of version that matches the ones that are present on
common distros like we do with C libraries, or would that cause
more problems than it solves?

Arnd