On Wed, Aug 3, 2022 at 12:03 PM Andy Wang <cbeuw.andy(a)gmail.com> wrote:
> rustup is used to *download official / beta / nightly toolchains from
> the internet*, so having to download rustup itself as well isn't that
> bad, I think.
Official rust builds are signed and rustup does verify the signature:
https://github.com/rust-lang/rustup/blob/master/src/dist/download.rs#L167. Having rustup
packaged would create a chain of trust from Fedora's official repo to the downloaded
toolchain. In any case, tt's more convenient to the users if they can get it directly
from a package manager.
You can also get the toolchain itself from Fedora though, which we
keep up-to-date with every stable upstream release on all active
Fedora releases. There's only a small delay due to the bodhi update
process, about a week. (Or less if people give karma!)
Maybe you still want rustup for beta/nightly toolchains, or for trying
code with even older toolchains. I just want to make sure that for the
*stable* Rust toolchain, we're setting the expectation that Fedora's
own toolchain packages should work well.
Thanks,
Josh