cargo-binstall release install broken

[leighmcculloch]

There are two issues:

• Install doesn't use binaries
• When building from source, --locked doesn't get used

 > [13/14] RUN cargo binstall -y stellar-cli:                                   
3.488  INFO resolve: Resolving package: 'stellar-cli'                           
13.85 ERROR resolve: When resolving stellar-cli bin soroban is not found. This binary is not optional so it must be included in the archive, please contact with upstream to fix this issue.
13.85  WARN resolve: Error while downloading and extracting from fetcher github.com: failed to find or install binaries: bin file /home/gitpod/.cargo/bin/cargo-binstallCksUwY/bin-stellar-cli-x86_64-unknown-linux-gnu-GhCrateMeta/soroban not found
14.49  WARN The package stellar-cli v21.5.3 will be installed from source (with cargo)
16.37     Updating crates.io index
16.73  Downloading crates ...
17.23   Downloaded stellar-cli v21.5.3
19.62   Installing stellar-cli v21.5.3
21.03     Updating crates.io index
26.04 error: failed to compile `stellar-cli v21.5.3`, intermediate artifacts can be found at `/tmp/cargo-installpsW1p2`.
26.04 To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.
26.04 
26.04 Caused by:
26.05   failed to select a version for `syn`.
26.05       ... required by package `futures-macro v0.3.31`
26.05       ... which satisfies dependency `futures-macro = "=0.3.31"` of package `futures-util v0.3.31`
26.05       ... which satisfies dependency `futures-util = "^0.3.30"` of package `soroban-cli v21.5.3`
26.05       ... which satisfies dependency `soroban-cli = "=21.5.3"` of package `stellar-cli v21.5.3`
26.05   versions that meet the requirements `^2.0.52` are: 2.0.79, 2.0.78, 2.0.77, 2.0.76, 2.0.75, 2.0.74, 2.0.73, 2.0.72, 2.0.71, 2.0.70, 2.0.69, 2.0.68, 2.0.67, 2.0.66, 2.0.65, 2.0.64, 2.0.63, 2.0.62, 2.0.61, 2.0.60, 2.0.59, 2.0.58, 2.0.57, 2.0.56, 2.0.55, 2.0.54, 2.0.53, 2.0.52
26.05 
26.05   all possible versions conflict with previously selected packages.
26.05 
26.05     previously selected package `syn v2.0.39`
26.05       ... which satisfies dependency `syn = "=2.0.39"` of package `soroban-builtin-sdk-macros v21.2.0`
26.05       ... which satisfies dependency `soroban-builtin-sdk-macros = "=21.2.0"` of package `soroban-env-host v21.2.0`
26.05       ... which satisfies dependency `soroban-env-host = "=21.2.0"` of package `soroban-cli v21.5.3`
26.05       ... which satisfies dependency `soroban-cli = "=21.5.3"` of package `stellar-cli v21.5.3`
26.05 
26.05   failed to select a version for `syn` which could resolve this conflict
26.18 ERROR Cargo errored! ExitStatus(unix_wait_status(25856))
26.32 ERROR Fatal error:
26.32   × For crate stellar-cli: subprocess /home/gitpod/.rustup/toolchains/1.81-
26.32   │ x86_64-unknown-linux-gnu/bin/cargo install stellar-cli --version 21.5.3
26.32   │ errored with exit status: 101

---

Note that related to this, I'm suggesting we remove installing with cargo-binstall from the docs, but I still think we should support it and fix this issue, the change to the docs is just because I don't think we should be pushing it as a preferred way to install ahead of other things like homebrew which has more attention to supply chain security.

• Update install instructions of the stellar-cli stellar-docs#1045

[od-hunter]

Hi @leighmcculloch , can I work on this please? I'm ready to work.

[Benjtalkshow]

@leighmcculloch
Is this issue open for contribution? I am ready to work on it.

[janewang]

Don't use signed attestation for binary from github

[leighmcculloch]

Don't use signed attestation for binary from github

@janewang Could you elaborate?

[leighmcculloch]

I don't think attestation or binary signing is the reason the bininstall command is broken.

[janewang]

@leighmcculloch Nando said it was your suggestion that we no longer support binstall as we are shipping binaries.

If we are no longer supporting binstall, then the work here is to remove the install method in the docs and everywhere it's mentioned.

Willem also mentioned that binstall is not using GitHub attestations.

[leighmcculloch]

Docs and install instructions were updated to not mention cargo-bininstall since it's not the primary way we are encouraging folks to install the cli:

• Update install instructions of the stellar-cli stellar-docs#1045
• Update install instructions to match stellar-docs #1679

The intent of the issue is to fix cargo-bininstall install method of the cli so it still works when used by others, after all it's still a tool folks are using in the Rust ecosystem to install packages.

[github-actions]

This issue is stale because it has been assigned for 30 days with no activity. It will be closed in 30 days unless the stale label is removed, and the assignee is removed or updated.

[leighmcculloch]

Unassigned because this is a low priority, and I assume from lack of activity no one is probably working on it. Obviously reassign if this is a mistake on my part.