Hum... I didn't know cargo was doing such things... It is bad... And how does it pass through my security parameters that avoid any installation (via the windows ransomware protection) ?
It downloads sources and then compiles them. Why would your “security parameters” stop that? Once downloaded that source is more-or-less undistinguishable from source that you wrote.
That's the reason for cargo existence (and it's name, too). And it's explained in the 2nd chapter of Rust book. And cargo is not silent, it actually reports when it downloads stuff.
Thanks. But I already have the... Sorry, a solution.
Into cargo.toml :
[target.'cfg(windows)'.dependencies]
winapi-util = "0.1"
And as main.rs :
use std::process::Command
fn main() {
Command::new("cmd.exe")
.arg("/c")
.arg("color").arg("07") // useless, only here to follow the
.status() // recommandation to use
.unwrap(); // Command once before reset
enable_virtual_terminal_processing();
eprintln! ( // "success" blue and "indeed" red
"\x1B[94m\nsuccess\x1B[91m indeed\x1B[39m"
// "\x1B[94m\nsuccess\x1B[91m indeed" would render the
// same, shortly, but let you assume any output coming
// next will be red if nothing comes tell otherwise before.
);
}
#[cfg(windows)]
pub fn enable_virtual_terminal_processing() {
use winapi_util::console::Console;
if let Ok(mut term) = Console::stdout() {
let _ = term.set_virtual_terminal_processing(true);
}
if let Ok(mut term) = Console::stderr() {
let _ = term.set_virtual_terminal_processing(true);
}
}
That's it !
Yes, you ask cargo to download and install couple of crates and then use them. But that's precisely what you complained about when people offered to use termcolor!
And one of these modules comes from author of said termcolor and is, literally, exist as a support crate for said termcolor!
Why would you trust the exact same guy in one case but not in the other case?
2 Likes
I trust(ed?) cargo. I didn't ask him to download anything, and I don't like that it does a such thing without asking before, nor even tell it did that ! I use Rust when I need to not trust anything but the OS and the langage itself, not even me, when the memory safety is really in stake.
termcolor is a really good API, I use it all the time with Python, and I recommand it, it is not my point to discard it.
Yes, that uses third party code.
I'm going to bow out now because your comments don't make any sense to me and there is no real back-and-forth happening in this conversation and I don't know how to fix that.
1 Like
Yes, you did. When you wrote that:
That was, quite literally, request to go and download winapi-util crate (if needed for target platform).
Why would the program which primary reason to exist is to download stuff tell you something when you explicitly ask it to download something?
From the Cargo Book:
Cargo is the Rust package manager. Cargo downloads your Rust package's dependencies, compiles your packages, makes distributable packages, and uploads them to crates.io, the Rust community’s package registry.
Cargo is, quite literally, a package manager! Management of downloads and uploads is it's primary role! Yes, it can be used as replacement for make, but even it's name hints at what it's primary role is!
Why would you expect a package manager not to download and install packages is beyond me.
It's like expecting that car wouldn't have wheels or plane wouldn't fly!
1 Like
I think there may be a confusion. There is a "termcolor" in python land and a "termcolor" in rust land and I think they may do the same kind of thing but they are different.
Well it says it compiles it, not it downloads. And I repeat I hate anything that put anything in my computer without my permission, which would be "Ok" to a "download this or that?" proposal).
I don't even put any cargo add which is not specific anyway, since I could add to my project plenty of thing I'd already have in my computer. And I would never type a thing like cargo init --bin
My first bad : thinking nothing but me could install anything into my computer without me picking an option "Download".
My second bad : presuming maybe the cargo compilation rendering was by winapi-util, and I've get it together.
So I will probably leave cargo. What's the point to use a langage for its safety reputation, if its tools are not ?
If you look on the source of cargo you'll see that it uses that same termcolor that started the whole discussion.
But that's implementation detail, not something which cargo is providing for Rust projects.
Similarly to how GCC uses GMP internally yet doesn't automatically provides multiple precision arithmetic to C programs.
Why have you expected that Rust world would work differently from literally everything else?
No.
It started (and finished) with ANSI escape codes, then you came with your thing. For which I could (had, actually) thank you if it hadn't gone that south.
It is (was) my topic, I decide, what, how, and why. If your answer is not my choice, sorry, you have to deal with that.
Thank you anyway, I'm pretty sure a lot of people who will read this topic to solve the same issue will prefer your tip. So, keep smiling buddy!
It's how modern languages all work. It's hard to work around if you want to use dependencies, because transitively, you may have dozens or hundreds of them. In npm-land, thousands. There's various tools like cargo-crev to help you make trust decisions if you don't want to do it all manually or YOLO it.
With Python, you might well be deferring to your distribution's package manager instead of the language's ecosystem to get it on your computer, but someone is still making that trust decision somewhere.
Whatever route you choose, I suggest compiling modern languages (including but not limited to Rust) in a dedicated, non-personal environment with restricted permissions. This can be annoying too, depending on your IDE situation, but it addresses some concerns. [1]
Though not all, e.g. you're still going to have to trust the resulting binary if you want to run it outside your dev/build sandbox. ↩︎
This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.