Download Rust into $XDG_CACHE_HOME

Question

Download Rust into $XDG_CACHE_HOME

robertvazan opened this issue 4 years ago · 16 comments

$HOME is not writable in flatpak and other app containers, because allowing arbitrary writes under $HOME would allow easy container escape by adding binaries in ~/.local/bin/ for example (which Corrosion happens to be doing with rust-analyzer, BTW). You should instead use variables defined in XDG Base Directory Specification just like the rest of Eclipse does. The most suitable location for Rust downloads would be probably $XDG_CACHE_HOME.

This would also prevent polluting user's home directory with more application-specific data directories as $XDG_CACHE_HOME defaults to $HOME/.cache.

BTW, I did not find a way to point Corrosion to my own installation of Rust. Normal installation includes rustc and cargo binaries and it can include rust-analyzer, but Corrosion for some reason requires rustup (the installer).

Answer 1 · 2021-03-19T14:49:59.000Z

Can you please submit a PR for that? The issue if that XDG_CACHE_HOME is not multi-platform.

but Corrosion for some reason requires rustup (the installer).

I think if cargo is found, rustup shouldn't be required. Can you please open a separate issue describing this issue with rustup, with minimal workflow to reproduce?

Answer 2 · 2021-03-19T15:08:31.000Z

Added #367 for the local installation issue.

I think the rest of Eclipse is using some Eclipse-specific API to find the right directory, isn't it? I have never done Eclipse plugin development before, so I don't know how to implement this and I have no way to test a PR anyway.

$XDG_CACHE_HOME will be empty on other platforms. You can safely fall back to current behavior in that case. It's a simple change that would unblock container use cases.

Answer 3 · 2021-03-19T15:17:31.000Z

I think the rest of Eclipse is using some Eclipse-specific API to find the right directory, isn't it?

To be honest, I don't know. I'm not aware of such API. It's most probably that each plugin has it's own logic.
Note that the "Install" step does use the rustup script from https://rustup.rs/ . Is this one using the $XDG_CACHE_HOME? If not, please open an issue to rustup first and we'll pick the updated script when it's available.

For rust-analyzer, we're following the install instructions from rust-analyzer itself. I'd rather not deviate from the standard.

Answer 4 · 2021-03-19T15:48:48.000Z

You can set RUSTUP_HOME:

https://rust-lang.github.io/rustup/environment-variables.html

No idea where does ~/.cargo directory come from. Is that also created by rustup? Corrosion preferences make it look like it's a separate download & install. Why is it even needed when rustup installs cargo too?

Which rust-analyzer install instructions are you referring to? Do you mean the part of the manual linked below?

https://rust-analyzer.github.io/manual.html#rust-analyzer-language-server-binary

It says rust-analyzer just needs to be somewhere in $PATH and that's probably just so that IDE can find it. Since you are installing it yourself, you know where you install it and you don't need to keep it in $PATH.

Answer 5 · 2021-03-19T15:50:58.000Z

BTW, even outside container, it's probably not such a great idea to install dependencies like this globally. Downloaded dependencies should be somewhere in private Corrosion directory.

Answer 6 · 2021-03-20T07:11:35.000Z

Turns out this is a long-standing issue in upstream (rust-lang/rfcs#1615). Apparently some people are against it with argument that goes like "why make things easier for 3rd party tools by making our own code more complicated". The 3rd party tool is Corrosion in this case. So that's it. If this is to be done, it will have to be done on Corrosion level with some hope that someday it will be fixed upstream.

Answer 7 · 2021-03-20T08:17:31.000Z

Thanks for finding out the root issue upstream.
Is this issue a blocker for usage of Corrosion inside a flatpak container? That may have some impact on the priority.
Note that, independently of my priorities, I always try to make reviews highest priority. So if you can submit a PR or influence someone in submitting one, I'll gladly review and hopefully merge it.

Answer 8 · 2021-03-20T08:24:15.000Z

There's no workaround. Flatpak does not allow path remapping. Sharing ~/.local/bin defeats the purpose of containerization. I could install Rust in the right location inside the container, but I cannot configure Corrosion to use it due to #367. So yes, this is a blocker.

I currently don't have time to climb the learning curve of Eclipse plugin development.

Answer 9 · 2021-03-20T08:30:06.000Z

So this one is not a blocker but #367 is?

Answer 10 · 2021-03-20T08:34:18.000Z

Solving either one will unblock container use.

Right now, if I want isolation, I can opt for either virtual machine with Eclipse+Corrosion or lightweight setup with Geany (or other editor) + dockerized Rust.

Answer 11 · 2021-03-20T15:49:21.000Z

In order to get rustup to install everything in custom location, Corrosion has to:

set RUSTUP_HOME
set CARGO_HOME
pass in --no-modify-path parameter

It also has to download rust-analyzer binary in the custom location. When running rust-analyzer or cargo/rustc, $CARGO-HOME/bin must be added to PATH.

Answer 12 · 2021-09-27T20:14:58.000Z

Corrosion relies on rustup to install toolchains and I think that should be preserved. If the concern is Flatpak please try installing corrosion in https://github.com/flathub/org.eclipse.Java - it contains a shim which allows executing host commands so corrosion was working fine in flatpak last I tried.

Answer 13 · 2021-09-28T06:45:52.000Z

Doesn't that create a hole in the container? I have my own Eclipse flatpak build that completely isolates the container from the host.

Answer 14 · 2021-09-28T06:50:39.000Z

It does but that's not an issue for an IDE and especially when we speak about C/C++ development there is practically no way to have all tools/libraries/headers in the container.

Answer 15 · 2021-09-28T08:01:28.000Z

@akurtakov I am pretty sure I would be able to cram C/C++ toolchain in the container.

Isolation is a very serious issue for IDEs. IDEs download literally thousands of components that were built on machines of thousands of developers. At least one of them is bound to be compromised. It's either containers or VMs or online IDEs (which themselves run in VMs). I personally prefer containers for their superior desktop integration.

Answer 16 · 2021-09-28T08:06:34.000Z

Isolation is a very serious issue for IDEs. IDEs download literally thousands of components that were built on machines of thousands of developers.

Actually, isolation is more often an anti-pattern for IDE. I stands for "Integrated", and on a desktop, it means integrated with other tools the developer may need.
Developers who need specific isolation on a desktop IDE need to define it by themselves because there is no 1 common need or common variation that fits everyone. Each developer would basically have to define their own container/sandbox that fits them best.
That said, if you're willing to provide a PR to ease Flatpak integration without reducing the quality for the "vanilla" case of the IDE being in a desktop and integration with other local apps efficiently; those would probably be welcome.