Packaging process builds Rust code #6817

legoktm · 2023-05-17T19:10:20Z

Our make build-debs packaging process needs to build a Rust wheel and install it into the virtualenv. As part of this we need to make sure that the built wheel is fully reproducible so we aren't regressing on reproducible builds.

The text was updated successfully, but these errors were encountered:

For the Sequoia work, we're planning to use 1.69.0 so we need to update the builder to match. This is being done separately since it already affects a production component (the cryptography wheel) and should be tested independently. This also lets us get rid of our index-warming hack since we can use the new fast sparse protocol instead (<https://blog.rust-lang.org/2023/03/09/Rust-1.68.0.html#cargos-sparse-protocol>). Refs #6817.

legoktm · 2023-06-27T18:41:02Z

Just noting that in my dev Qubes VM with 6 CPU cores assigned, it takes a little over 4 minutes to build redwood in release mode.

Use maturin to build the redwood wheel and then install it into the virtualenv shipped in the Debian package. A testinfra check is added that verifies the redwood wheel is importable and is able to generate a key pair. Fixes #6817.

legoktm · 2023-06-28T20:13:48Z

So here's what maturin is doing under the hood, as discovered by RUST_LOG=debug maturin build -m redwood/Cargo.toml -v -r

2023-06-28T20:05:49.562717Z DEBUG maturin::project_layout: Using cargo manifest path from command line argument: "/home/user/github/freedomofpress/securedrop/redwood/Cargo.toml"
2023-06-28T20:05:49.562741Z DEBUG maturin::project_layout: Resolving cargo metadata from "/home/user/github/freedomofpress/securedrop/redwood/Cargo.toml"
2023-06-28T20:05:49.680016Z DEBUG maturin::project_layout: Found pyproject.toml at "/home/user/github/freedomofpress/securedrop/redwood/pyproject.toml"
2023-06-28T20:05:49.680486Z DEBUG maturin::project_layout: Resolving cargo metadata from "/home/user/github/freedomofpress/securedrop/redwood/Cargo.toml"
2023-06-28T20:05:49.798743Z DEBUG maturin::project_layout: Project layout resolved project_root=/home/user/github/freedomofpress/securedrop/redwood python_dir=/home/user/github/freedomofpress/securedrop/redwood rust_module=/home/user/github/freedomofpress/securedrop/redwood/redwood python_module=/home/user/github/freedomofpress/securedrop/redwood/redwood extension_name=redwood module_name=redwood
🔗 Found pyo3 bindings
2023-06-28T20:05:49.892508Z DEBUG maturin::python_interpreter: Found CPython interpreter at /home/user/github/freedomofpress/securedrop/.venv/bin/python3
🐍 Found CPython 3.8 at /home/user/github/freedomofpress/securedrop/.venv/bin/python3
📡 Using build options compatibility from pyproject.toml
2023-06-28T20:05:49.892782Z DEBUG maturin::compile: Setting PYO3_PYTHON to /home/user/github/freedomofpress/securedrop/.venv/bin/python3
2023-06-28T20:05:49.892800Z DEBUG maturin::compile: Running CARGO_ENCODED_RUSTFLAGS="-C\u{1f}link-arg=-fuse-ld=/usr/bin/mold" PYO3_ENVIRONMENT_SIGNATURE="cpython-3.8-64bit" PYO3_PYTHON="/home/user/github/freedomofpress/securedrop/.venv/bin/python3" PYTHON_SYS_EXECUTABLE="/home/user/github/freedomofpress/securedrop/.venv/bin/python3" "cargo" "rustc" "--message-format" "json-render-diagnostics" "-v" "--manifest-path" "/home/user/github/freedomofpress/securedrop/redwood/Cargo.toml" "--release" "--lib"
...
2023-06-28T20:08:25.756120Z DEBUG maturin::module_writer: Adding redwood-0.1.0.dist-info/METADATA
2023-06-28T20:08:25.756369Z DEBUG maturin::module_writer: Adding redwood-0.1.0.dist-info/WHEEL
2023-06-28T20:08:25.756691Z DEBUG maturin::module_writer: Adding redwood/__init__.py
📖 Found type stub file at redwood.pyi
2023-06-28T20:08:25.756900Z DEBUG maturin::module_writer: Adding redwood/__init__.pyi from /home/user/github/freedomofpress/securedrop/redwood/redwood.pyi
2023-06-28T20:08:25.757153Z DEBUG maturin::module_writer: Adding redwood/py.typed
2023-06-28T20:08:25.757345Z DEBUG maturin::module_writer: Adding redwood/redwood.cpython-38-x86_64-linux-gnu.so from /home/user/.cargo/target/release/maturin/libredwood.so
2023-06-28T20:08:26.382540Z DEBUG maturin::module_writer: Adding redwood-0.1.0.dist-info/RECORD
📦 Built wheel for CPython 3.8 to /home/user/.cargo/target/wheels/redwood-0.1.0-cp38-cp38-linux_x86_64.whl

Here's what the __init__.py file contains:

from .redwood import *

__doc__ = redwood.__doc__
if hasattr(redwood, "__all__"):
    __all__ = redwood.__all__

for reference:

>>> redwood.__all__
['generate_source_key_pair', 'encrypt_message', 'encrypt_file', 'decrypt', 'RedwoodError']
>>> redwood.__doc__
'A Python module implemented in Rust.'

I thiiiiink we could just do this ourselves?? Will keep poking.

Use maturin to build the redwood wheel and then install it into the virtualenv shipped in the Debian package. A testinfra check is added that verifies the redwood wheel is importable and is able to generate a key pair. Fixes #6817.

legoktm · 2023-06-29T17:30:14Z

It ended up being like 40 lines of Python, which is pretty good I think!

maturin does have some nice safety features, like it checks that the PyInit_redwood symbol is present (https://github.com/PyO3/maturin/blob/3ea1d0f165351d44f4c02afed98a226334401558/src/compile.rs#L539), so I think we should eventually switch back to it, but I think we can just wait until it lands in Debian - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999850

And since it's statically compiled, hopefully we'll just be able to use it directly out of unstable/testing (might run into glibc version issues?).

Use maturin to build the redwood wheel and then install it into the virtualenv shipped in the Debian package. A testinfra check is added that verifies the redwood wheel is importable and is able to generate a key pair. Fixes #6817.

Use our script to build the redwood wheel and then install it into the virtualenv shipped in the Debian package. A testinfra check is added that verifies the redwood wheel is importable and is able to generate a key pair. Fixes #6817.

legoktm mentioned this issue May 17, 2023

Use Sequoia-PGP instead of gpg/pretty_bad_protocol #6399

Closed

14 tasks

legoktm added the Rust Issues that touch Rust code label May 17, 2023

cfm added this to SecureDrop dev cycle May 18, 2023

zenmonkeykstop moved this to Cycle Backlog in SecureDrop dev cycle May 19, 2023

legoktm mentioned this issue May 31, 2023

Update Rust in builder to 1.69.0 #6832

Merged

4 tasks

zenmonkeykstop moved this from Cycle Backlog to Ready to go in SecureDrop dev cycle Jun 20, 2023

legoktm self-assigned this Jun 27, 2023

legoktm mentioned this issue Jun 27, 2023

Build Rust redwood wheel during packaging process #6884

Merged

13 tasks

zenmonkeykstop moved this from Ready to go to Cycle Backlog in SecureDrop dev cycle Jul 3, 2023

zenmonkeykstop moved this from Cycle Backlog to Ready For Review in SecureDrop dev cycle Jul 10, 2023

zenmonkeykstop added this to the SecureDrop 2.7.0 milestone Jul 12, 2023

cfm closed this as completed in #6884 Aug 8, 2023

github-project-automation bot moved this from Ready For Review to Done in SecureDrop dev cycle Aug 8, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Packaging process builds Rust code #6817

Packaging process builds Rust code #6817

legoktm commented May 17, 2023 •

edited

Loading

legoktm commented Jun 27, 2023

legoktm commented Jun 28, 2023

legoktm commented Jun 29, 2023

Packaging process builds Rust code #6817

Packaging process builds Rust code #6817

Comments

legoktm commented May 17, 2023 • edited Loading

legoktm commented Jun 27, 2023

legoktm commented Jun 28, 2023

legoktm commented Jun 29, 2023

legoktm commented May 17, 2023 •

edited

Loading