From: Nirbheek Chauhan <nirbheek@centricular.com>
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: tarun@centricular.com, openembedded-core@lists.openembedded.org,
sebastian@centricular.com
Subject: Re: [OE-core] [PATCH v2] gstreamer1.0-plugins-rs: add new package
Date: Wed, 13 May 2026 18:40:54 +0530 [thread overview]
Message-ID: <aa1e4940d5cf8b60f404822679a601ddf6b7794e.camel@centricular.com> (raw)
In-Reply-To: <CANNYZj9CND_HxCwiWUyt1Boej19_5Nnm76NXhZ+NtazYD-Zukw@mail.gmail.com>
On Wed, 2026-05-13 at 14:15 +0200, Alexander Kanavin wrote:
> Are these copies listed in Cargo.toml of the plugins? If so, they
> shouldn't be manually specified in SRC_URI, instead they should be in
> the auto-generated gstreamer1.0-plugins-rs-crates.inc, and the build
> process should be able find and use them.
Yes, but only with the plugins published to crates.io. That's how
`cargo publish` works. Tarun is exploring whether to switch to that,
and split this recipe into separate recipes for each plugin.
> There are concerns over discovering and fixing a critical security
> issue in one of the components, when they are vendored into the
> source
> tree this way, all because the compiler team can't settle on an ABI.
> I'm sure you've seen that many times before. The issue is general to
> rust (or node.js or any number of similar approaches to dependency
> management) and not gstreamer-specific, but I still wanted to mention
> it. The problem is, when it happens, it's the integrators that have
> to
> deal with it, not the compiler writers and not the component writers.
Yeah this is a problem for projects that aren't written in Rust, and
this is why Debian ships its own source packages for all the crates,
and they would update / patch those crates independently of what
Cargo.lock says for a project. I don't think that infra exists in Yocto
right now.
Rust projects would just run `cargo audit` and that would recursively
update all crates to fix security vulnerabilities, but that breaks if
you're using Rust to create C libs.
Cheers,
Nirbheek
prev parent reply other threads:[~2026-05-13 13:25 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 13:34 [PATCH] gstreamer1.0-plugins-rs: add new package Taruntej Kanakamalla
2026-05-12 10:30 ` [OE-core] " Mathieu Dubois-Briand
2026-05-13 7:14 ` Taruntej Kanakamalla
2026-05-12 19:28 ` Peter Kjellerstedt
2026-05-13 7:25 ` Taruntej Kanakamalla
2026-05-13 7:56 ` Peter Kjellerstedt
2026-05-13 7:11 ` [PATCH v2] " Taruntej Kanakamalla
2026-05-13 10:19 ` [OE-core] " Alexander Kanavin
2026-05-13 11:23 ` Nirbheek Chauhan
2026-05-13 11:45 ` Alexander Kanavin
2026-05-13 12:02 ` Nirbheek Chauhan
2026-05-13 12:15 ` Alexander Kanavin
2026-05-13 13:10 ` Nirbheek Chauhan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa1e4940d5cf8b60f404822679a601ddf6b7794e.camel@centricular.com \
--to=nirbheek@centricular.com \
--cc=alex.kanavin@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=sebastian@centricular.com \
--cc=tarun@centricular.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.