-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cargo run / espflash flash... does not work offline. #334
Comments
Well you can review the rustsite of the buildsystem in build.rs and the source code in embuild yourself. Github is run by microsoft and pulling esp-idf github repo is part of the process and that involves creating request against github. Also esp-idf heavily relight on python in it's cmake buildsystem and pull dependency's via pip. That all needs to be installed and managed somehow and potentially kept up to date. We try to make this process as friction-less as possible. This friction-less setup might caught you off guard because you didn't review it yourself, but it helped countless people to even get a foothold into even starting this journey here. Keep in mind that this effort here is a community driven effort. We do it for the fun of it and if you want to influence or change something feel free to work on alternative means or create a PR improving documentation about it. If you need that for critical work stuff its your responsibility to keep things in order not the responsibility of some other folks on the internet. Though in all earnestie i ask you the following question. Why are you ok with crates.io and not ok with pulling stuff from pypy via pip or pulling a git repo from github? I mean i understand that you may not expected that other services besides crates.io are involved, if you aren't aware how esp-idf works. But the argument to allow one but not the other fells of a bit short. If that is not your cup of tea that is absolutely fine. There are a lot of ways to handle using esp-idf-sys even in an offline context. Though they require to learn more about the system and not just relight on others to do the heavy lifting, and some manual work. So feel free disagree with what i said, though one point i want to clarify, if you are somewhat serious, before asking open-ended "rhetorical" questions about if Microsoft should be "aware" of what we are doing, consider reviewing the buildsystem as mention and feel free to drop a question, in the linked matrix channel, if you don't understand how a particular thing works. |
Because crates.io is only used once when downloading the libraries. Not in each compilation ( It is absurd that every time I open the IDE to program, it is accessing the internet to see updates, and if it doesn't have internet access it doesn't allow me to program. I decide when I change the version of each library. And that is when I start Like crates.io we also have github.com and many other domains/subomains/IPs. But we don't tolerate internet access while we are programming. I don't know your understanding of security and privacy, but free access to the internet should not exist if you want to maintain a secure environment.
Yes, we will have to investigate further the functionality of esp in rust. That requires more time and dedication to things outside of development, simply because esp in rust is designed to work online right out of the box. |
Now, there are also ways to make it work offline without necessarily "Activating" ESP-IDF, but you need to - as per above - read the docu link I pasted and experiment a bit. You also have to realize the other point of view - that what you are expecting (nothing else than Where I'm going with that is that while I understand your "simply because esp in rust is designed to work online right out of the box" critique, this is unlikely to ever be changed NOT to be the default. As that would likely swing the pendulum to the wrong extreme. Feel free to open additional, more directed issues if decide to pursue the "offline" setup and stumble on problems / stuff which can be improved. |
Related: #338 |
This is not the native behavior of Rust or Rust Analyzer at all. We are using all of them offline, and it works: we can use vim to program, we can create new projects from scratch without downloading "libraries" again, without looking online for updates. But unfortunately this is not the case when developing for esp32. So Rust Analyzer/cargo check is not the problem here to switch it off.
The problem is that it connects too much to the internet, without the consent or knowledge of the developer. And esp32 developing in Rust is making Linux backdoor too. Every indirect and implicit action that requires online downloads is increasing the attack surface, because the user is not aware of that action since he has not done it. Magically things are downloaded and updated for the convenience of the developer. Whose convenience? No one has asked for it. Things can be clearly separated, as Rust does. Download/update and then work offline. The operation is and should be as follows:
@ivmarkov, thank you very much for the explanation and for all the details to work offline. We'll take a look to see if we don't have to spend too much time on things outside of development. We have considered migrating to Again, thank you very much for your help. |
Our systems (archlinux/gentoo) only have internet for certain applications/actions to their corresponding domains/subdomains and IP addresses.
The default policies drop both inbound, outbound and forwarding packets. (This should be the case for any enterprise and home computer to improve privacy and security).
We have been developing software in Rust for a long time and we understand that downloading libraries requires internet access. In such a case, access is allowed only to the
cargo build
instance and only to the domains and subdomainsindex.crates.io crates.io crates.io static.crates.io
.We are now creating projects in ESP32 (Xiao) and have encountered serious problems that prevent us from working securely and privately.
Neovim
(as developing IDE) does not work.Software development should certainly be offline.
It tries to connect to github (Microsoft), pypi.org, etc.
Cargo
run
(andespflash flash --monitor target/riscv32imac-esp-espidf/debug/...
) does not work offline:Stuks here. And the network log is:
Whenever we are developing something on our device, should Microsoft be aware of it?
Every time we are uploading a binary already compiled on our local device, should external servers know our IP address and other sensitive information?
Please fix that.
The text was updated successfully, but these errors were encountered: