►
Description
OpenSUSE has always prided itself on being an innovative and unique linux distribution. Our approach to Rust has been no different - unlike other distributions, we allow vendored crates, follow upstream Rust release cadence and more. Doing this is not without challenges though. In this session, we'll talk about how Rust is different in OpenSUSE, how we tackle those tough issues around security and vendoring, and how we worked to make a chameleon and crab best friends.
A
A
So
what
is
the
purpose
of
an
operating
system
these
days,
such
as
a
linux
distribution?
Well,
it's
to
give
you
a
platform
to
run
applications
on
and
for
us
in
a
way
to
distribute
applications
to
you,
and
it's
really
important
for
us
to
give
you.
You
know
well-tested
and
secure
applications
so
that
you
can
have
something
you
can
rely
on
for
your
work
every
day.
That's
our
job,
and
how
do
we
get
these
two?
Well,
we
split
everything
up
into
packages
and
we
ship
them
off
to
you.
A
Linux
distribution
package
managers
really
are
the
c
language
manager
in
a
way,
and
of
course,
because
of
this
you
know
fragility
this
also
led
to
a
culture
of
risk
aversion
and
change
aversion.
So
we
don't
want
to
be
updating
c
libraries
through
major
versions,
because
we
might
break
something
and
of
course,
when
we
factor
in
also
just
you
know
c,
as
a
programming
language
has,
a
you
know
tends
to
promote
having
a
lot
of
vulnerabilities.
Seventy
percent
of
security
defects
are
because
of
memory,
unsafety
issues,
and
this
was
reported
by
both
microsoft
and
google.
A
You
know,
and
because
of
the
fact
that
the
c
programming
language
has
this
tendency
to
be
insecure.
You
know
when
you
combine
this
with
the
version
and
change
a
version
that
exists
because
of
the
fragility
of
c
libraries.
You
know
this
makes
for
a
community
culture
where
patching
and
backboarding
things
and
keeping
version
like
a
single
version
of
an
application
alive
for
a
long
time
was.
You
know
the
way
that
things
were
done
and
our
linux
distribution
package
managers
have
really
evolved
hand
in
hand
with
these
ideals.
A
Other
languages,
however,
have
evolved.
Since
c,
though
these
are
things
like
rust,
go
python,
ruby
and
all
of
these
have
learnt
their
own
individual
and
unique
lessons
from
the
past
static.
Linking,
for
example,
is
back,
and
this
is
because
you
know
space
like
hard
drive.
Space
is
less
of
a
con
less
of
a
resource
limit
today
you
know,
and
languages
like
rust,
especially
have
their
own
built-in
library
and
resolution
manager
to
make
sure
that
everything
works.
A
Of
course,
as
rust
developers,
we're
probably
very
surprised
or
shocked
by
this.
That
and
we
feel,
like
our
distributions,
are
holding
rust
wrong
or
working
against
us.
It's
also
not
the
first
time
that
this
has
happened
either.
You
know
this
has
had
negative
impacts
on
other
programming
language
communities.
On
the
past,
when
you
know
package
managers
have
tried
to
push
their
own
ideas
onto
a
programming
language.
A
But
I
didn't
just
want
my
ideas.
I
wanted
to
hear
what
many
people
wanted,
and
so
I
ran
a
survey
for
users
and
you
know
to
get
their
feedback
about
what
they
wanted,
and
it
was
really
fantastic
to
see
how
many
people
actually
contributed
to
and
responded
to
this
survey.
You
know
not
just
from
opensuse
or
linux
distributions,
but
mac
users
and
window
users,
windows
users
as
well,
and
it's
so
good
to
have
all
of
their
inputs
so
that
we
can
create
a
more
consistent
experience
across
different
operating
systems,
giving
you
more
choice
so
overwhelmingly.
A
One
of
the
things
that
was
interesting
was
that
you
know
as
developers,
you
don't
want
to
be
using
the
rust
tool
chain
that
comes
with
your
distribution.
You
want
to
be
using
rust
up
and
using
the
upstream
tool
chain,
and
that's
really
interesting,
but
what
about
libraries?
You
know
when
you're
building
an
application
and
you're
developing
something.
A
But
again,
this
argument,
you
know,
comes
back
to
what
we're
talking
about
before,
where
70
of
those
defects
because
of
memory
on
safety.
It
assumes
a
high
number
of
security
issues
in
the
first
place,
which
rust
eliminates
a
lot
of
these,
not
all,
but
a
lot
just
through
the
the
way
that
it
is
a
memory
safe
language-
and
this
is
fantastic
because
already
shifted
the
bar
much
higher.
A
We
also
have
a
really
security
aware
community
and
it's
a
testament
to
the
russ
community
and
the
people
you
know
watching
this
talk
is
how
engaged
you
are
with
security.
80
of
respondents
indicated
that
they
were
using
cargo
order
or
cargo
outdated
to
make
sure
that
all
of
their
libraries
were
continually
being
updated
and
secured.
A
Of
course,
we
as
a
distribution
also
need
to
be
able
to
respond
to
security
issues,
and
when
we're
vendoring,
our
libraries
in
we
actually
need
to
be
able
to
go
through
those.
So
we
can
take
our
rpms
and
what
we've
been
distributing
in
the
past.
We
can
unpack
them
and
scan
them
with
tools
like
cargo
audit,
the
same
tools
that
you're
using
and
when
we
detect
a
security
issue.
We
can
actually
then
go
through
and
re-vendor
and
update
our
libraries
in
order
to
resolve
those
security
problems.
A
We
can
also
work
through
with
this
process
to
make
sure
that
we
can
target
specific
rust
sec
ids
in
case
there
is
a
high.
You
know
security
incident
that
we
need
to
respond
to
rapidly,
but
it
takes
a
long
time
to
rebuild
it's
a
waste
of
time
and
cpu
and
it's
slow
you're
having
to
rebuild
all
these
vended
applications
all
the
time.
Well,
yes,
it
might
be,
but
how
about
we
address
the
reasons
why
it's
slow,
instead
of
you
know,
making
excuses.
A
First,
there
are
less
security
issues
in
rust,
as
already
addressed,
as
already
mentioned,
which
means
that
there's
going
to
be
less
time
spent
patching
less
time
spent
backwarding
less
time
rebuilding,
and
that
means
more
time
for
doing
the
things
that
you
love
and,
of
course,
the
second
issue.
Being
you
know
if
rust
compile
times
are
slow.
Well,
let's
speed
that
up.
A
There's
already
been
amazing
efforts
to
improve
the
speed
of
the
rust
compiler
in
the
community,
but
also
we
as
a
build
service
can
use
tools
like
sc
cache
to
improve
rebuild
times,
we've
actually
integrated
sdks
with
our
build
services
so
that
rust
packages
in
opensuse
can
use
and
consume
sdk.
So
we
can
actually
rebuild
the
entire
rust
language
tool
chain
in
five
minutes
down
from
two
hours
on
an
initial
build.
If
anyone
at
mozilla
who
works
on
sck
she's,
watching
this
talk,
please
get
in
contact
with
me.
A
A
So
what
does
the
process
look
like
now
for
you?
If
you
were
using
open
souza
today
as
a
developer?
Well,
you
can
just
use
our
package
manager
zipper
and
install
rust
up.
That's
it
and
you
can
use
rust
up
exactly
the
same
way.
You
would,
if
you
were
using
curl
pipe.
In
fact,
you
can
still
use
that
and
we
might
even
be
one
of
the
only
distributions
that
actually
encourage
you
to
use
rust
up
rather
than
our
own
package
tool
chains,
our
package
tool
chains.
A
A
You
know,
and-
and
I
think
you
know
since
I
spoke
last
year
late
last
year-
we
had
about
50
packages
in
opensuse
that
were
depending
on
rust.
Now
about
six
months
later,
we
have
more
than
a
hundred,
which
is
fantastic
to
see
that
kind
of
growth
and
adoption
within
our
distribution,
and
I
really
feel
like
it's.
You
know
such
an
endorsement
of
you
know,
working
with
the
community
rather
than
against
them.
A
A
You
know,
trust
and
secure,
and
you
know
really
endorse
and
stand
behind
and,
of
course,
the
open
source
community
for
really
embracing
rust,
and
you
know
wanting
to
package
and
distribute
applications,
especially
sock,
vanilla
seller
and
george
craft,
who
have
both
done
quite
a
bit
with
rust
in
the
community.
So
and
of
course,
I'd
really
like
to
thank
you
for
taking
time
out
of
your
day
to
watch
this
talk,
and
I
hope
you
enjoyed
the
rest
of
rustconf.