Reduce the size of vendored dependencies for Rust applications #4384
Comments
|
Given that all of this is reproducible, like with go, I'd like to see a way to avoid having to commit these to git at all. Maybe we can vendor them but exclude the vendor dir, but require local build to run it? The one thing we cannot do is enable networking in the container, because that messes up the ability to do reproducible builds and SBoMs, as anything can run. |
what is the difference between vendoring at build time and letting cargo to download crate sources itself? |
We need the build process to always give the exact same results, and even more importantly, know exactly what is included. When we run the build with The ideal would be some kind of acceptable download from cargo that works when |
When using
cargo vendora lot of unused dependencies are vendored. e.g. all crates related to Windows even though we are interested only in linux platform. The solution is to use https://github.com/coreos/cargo-vendor-filterer as followingand later uncompress the archive in a Dockerfile. To make it clear: we do not need to use
--format. in this case we keep ./vendor folder and the size will still be much smaller. e.g. in case ofpkg/installerthe size is reduced from 318Mb to 56Mb. If we use compressed ourput we reduce size to 6.6Mb and a single fileThe text was updated successfully, but these errors were encountered: