-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce the size of vendored dependencies for Rust applications #4384
Comments
Given that all of this is reproducible, like with go, I'd like to see a way to avoid having to commit these to git at all. Maybe we can vendor them but exclude the vendor dir, but require local build to run it? The one thing we cannot do is enable networking in the container, because that messes up the ability to do reproducible builds and SBoMs, as anything can run. |
what is the difference between vendoring at build time and letting cargo to download crate sources itself? |
We need the build process to always give the exact same results, and even more importantly, know exactly what is included. When we run the build with The ideal would be some kind of acceptable download from cargo that works when |
When using
cargo vendor
a lot of unused dependencies are vendored. e.g. all crates related to Windows even though we are interested only in linux platform. The solution is to use https://github.com/coreos/cargo-vendor-filterer as followingand later uncompress the archive in a Dockerfile. To make it clear: we do not need to use
--format
. in this case we keep ./vendor folder and the size will still be much smaller. e.g. in case ofpkg/installer
the size is reduced from 318Mb to 56Mb. If we use compressed ourput we reduce size to 6.6Mb and a single fileThe text was updated successfully, but these errors were encountered: