This is a big release! 0.29.0 includes all of the new features from Astral's fork of dist along with some new bugfixes. It also removes support for Axo Releases.

Pinning GitHub Actions to commits

By default, dist uses Actions via floating versioned tags such as actions/checkout@v4. Users with specific security requirements may instead want to pin these to specific commits so that they know exactly which version will be run. This release provides configuration to allow users to specify which commit to use for a given action. For more information, see the docs.

• impl @Gankra feat: add github-action-commits config

Recursive source tarballs, including the contents of submodules

While we've had support for source tarballs since 0.5.0, those tarballs have been limited to the contents of the base repository and didn't contain the contents of submodules. (This is a limitation of the git archive tool that we use to generate them.) This release adds support for recursive tarballs that include the contents of submodules as well. This feature is opt-in and can be enabled with the recursive-tarballs = true setting. For more information, see the docs.

• impl @Gankra feat: add recursive-tarballs

Support cross-compiling from Windows to Windows

In previous versions, dist would refuse to cross-compile from one Windows architecture to another. This release fixes that and allows the build to be attempted. We still default to cross-compiling via cargo-xwin; users who would like to try this will need to configure their builds to use a Windows runner. For example:

[dist.github-custom-runners.aarch64-pc-windows-msvc]
runner = "windows-2025"

• impl @baszalmstra fix: allow cross compiling from windows to windows

Installer improvements

We've improved compatibility for the shell installer by bringing in newer changes from the Rustup installer it was originally based on. We've also improved compatibility with Linux distributions that don't use the $HOME environment variable.

• impl @Gankra feat: improve installer.sh with changes from rustup
• impl @konstin feat: support Linux distros that don't set HOME

BYO GitHub bearer token for installers

In addition to the above, we now allow users to bring their own GitHub token to be used when fetching tarballs from GitHub. This is useful for users who are often rate-limited when downloading artifacts or who need to fetch artifacts from private repositories. Like our other environment variables, this is branded with your application's name in the format {APP_NAME}_GITHUB_TOKEN. This environment variable is supported in both the shell and PowerShell installers. For more information, see the docs.

• impl @Gankra feat: add {APP_NAME}_GITHUB_TOKEN install env-var

Reduce unnecessary credentials persistence in Actions config

This release includes some tweaks to generated Actions config in order to reduce the risk of accidentally persisting credentials longer in the run than necessary. This is always enabled and doesn't require configuration to opt into.

• impl @Gankra feat: add persist-credentials: false to checkouts

Allow overriding binaries per-platform

It's now possible to override the set of binaries to install on a per-platform basis. For example, a project with three binaries may choose to only install two of them on Windows, or may choose to provide an extra binary on other platforms. For more information, see the docs.

• impl @Gankra feat: allow overriding per-platform binaries

New setting for overriding packages to dist

A new top-level option, packages, allows specifying a list of exactly which packages should be disted. This overrides any individual dist = true or dist = false set in individual packages, and can be easier to reason about. For more information, see the docs.

• impl @Gankra feat: add packages override for externally setting dist=true/false

Overriding package versions

The new top-level version option overrides the individually-configuredversions for every package and instead causes dist to assume every package has the specified version. For more information, see the docs.

• impl @Gankra feat: add workspace.version override

Fixes

• impl @mistydemeo
  • fix: mark homebrew with persist-credentials
  • fix: don't write unified checksum with no checksums
• impl @cibyr fix(axoproject): allow building without generic-projects

This is a big release! 0.29.0 includes all of the new features from Astral's fork of dist along with some new bugfixes. It also removes support for Axo Releases.

Pinning GitHub Actions to commits

By default, dist uses Actions via floating versioned tags such as actions/checkout@v4. Users with specific security requirements may instead want to pin these to specific commits so that they know exactly which version will be run. This release provides configuration to allow users to specify which commit to use for a given action. For more information, see the docs.

• impl @Gankra feat: add github-action-commits config

Recursive source tarballs, including the contents of submodules

While we've had support for source tarballs since 0.5.0, those tarballs have been limited to the contents of the base repository and didn't contain the contents of submodules. (This is a limitation of the git archive tool that we use to generate them.) This release adds support for recursive tarballs that include the contents of submodules as well. This feature is opt-in and can be enabled with the recursive-tarballs = true setting. For more information, see the docs.

• impl @Gankra feat: add recursive-tarballs

Support cross-compiling from Windows to Windows

In previous versions, dist would refuse to cross-compile from one Windows architecture to another. This release fixes that and allows the build to be attempted. We still default to cross-compiling via cargo-xwin; users who would like to try this will need to configure their builds to use a Windows runner. For example:

[dist.github-custom-runners.aarch64-pc-windows-msvc]
runner = "windows-2025"

• impl @baszalmstra fix: allow cross compiling from windows to windows

Installer improvements

We've improved compatibility for the shell installer by bringing in newer changes from the Rustup installer it was originally based on. We've also improved compatibility with Linux distributions that don't use the $HOME environment variable.

• impl @Gankra feat: improve installer.sh with changes from rustup
• impl @konstin feat: support Linux distros that don't set HOME

BYO GitHub bearer token for installers

In addition to the above, we now allow users to bring their own GitHub token to be used when fetching tarballs from GitHub. This is useful for users who are often rate-limited when downloading artifacts or who need to fetch artifacts from private repositories. Like our other environment variables, this is branded with your application's name in the format {APP_NAME}_GITHUB_TOKEN. This environment variable is supported in both the shell and PowerShell installers. For more information, see the docs.

• impl @Gankra feat: add {APP_NAME}_GITHUB_TOKEN install env-var

Reduce unnecessary credentials persistence in Actions config

This release includes some tweaks to generated Actions config in order to reduce the risk of accidentally persisting credentials longer in the run than necessary. This is always enabled and doesn't require configuration to opt into.

• impl @Gankra feat: add persist-credentials: false to checkouts

Allow overriding binaries per-platform

It's now possible to override the set of binaries to install on a per-platform basis. For example, a project with three binaries may choose to only install two of them on Windows, or may choose to provide an extra binary on other platforms. For more information, see the docs.

• impl @Gankra feat: allow overriding per-platform binaries

New setting for overriding packages to dist

A new top-level option, packages, allows specifying a list of exactly which packages should be disted. This overrides any individual dist = true or dist = false set in individual packages, and can be easier to reason about. For more information, see the docs.

• impl @Gankra feat: add packages override for externally setting dist=true/false

Overriding package versions

The new top-level version option overrides the individually-configuredversions for every package and instead causes dist to assume every package has the specified version. For more information, see the docs.

• impl @Gankra feat: add workspace.version override

Fixes

• impl @mistydemeo
  • fix: mark homebrew with persist-credentials
  • fix: don't write unified checksum with no checksums
• impl @cibyr fix(axoproject): allow building without generic-projects

This release updates dependencies and contains no substantive code changes.

This release updates dependencies and contains no substantive code changes.

This release updates dependencies and contains no substantive code changes.

This release contains several important bugfixes. This primarily ensures that GitHub Actions builds work again, but there are also several fixes for minor configuration issues and updates to the runtime dependencies for the npm installer.

Fixes

• impl @mistydemeo
  • Bump Rust version to 1.87.0
  • feat: synchronize runners with github
  • fix: use --locked for from-git installs
• impl @Lee-W feat: update ubuntu version from 20.04 to 22.04
• impl @jackkleeman Support publishing prereleases even if there are only custom publish jobs
• impl @geofft fix: Do not report shadowed binaries when no binary exists
• impl @rdbisme Fix typo for installer base url override
• impl @CramBL fix ignored configuration key 'msvc-crt-static'
• impl @gtema update version of github provenance action

This release contains several important bugfixes. This primarily ensures that GitHub Actions builds work again, but there are also several fixes for minor configuration issues and updates to the runtime dependencies for the npm installer.

Fixes

• impl @mistydemeo
  • Bump Rust version to 1.87.0
  • feat: synchronize runners with github
  • fix: use --locked for from-git installs
• impl @Lee-W feat: update ubuntu version from 20.04 to 22.04
• impl @jackkleeman Support publishing prereleases even if there are only custom publish jobs
• impl @geofft fix: Do not report shadowed binaries when no binary exists
• impl @rdbisme Fix typo for installer base url override
• impl @CramBL fix ignored configuration key 'msvc-crt-static'
• impl @gtema update version of github provenance action

This release contains several important bugfixes. This primarily ensures that GitHub Actions builds work again, but there are also several fixes for minor configuration issues and updates to the runtime dependencies for the npm installer.

Fixes

• impl @mistydemeo
  • Bump Rust version to 1.87.0
  • feat: synchronize runners with github
  • fix: use --locked for from-git installs
• impl @Lee-W feat: update ubuntu version from 20.04 to 22.04
• impl @jackkleeman Support publishing prereleases even if there are only custom publish jobs
• impl @geofft fix: Do not report shadowed binaries when no binary exists
• impl @rdbisme Fix typo for installer base url override
• impl @CramBL fix ignored configuration key 'msvc-crt-static'
• impl @gtema update version of github provenance action

This release contains several important bugfixes. This primarily ensures that GitHub Actions builds work again, but there are also several fixes for minor configuration issues and updates to the runtime dependencies for the npm installer.

Fixes

• impl @mistydemeo
  • Bump Rust version to 1.87.0
  • feat: synchronize runners with github
  • fix: use --locked for from-git installs
• impl @Lee-W feat: update ubuntu version from 20.04 to 22.04
• impl @jackkleeman Support publishing prereleases even if there are only custom publish jobs
• impl @geofft fix: Do not report shadowed binaries when no binary exists
• impl @rdbisme Fix typo for installer base url override
• impl @CramBL fix ignored configuration key 'msvc-crt-static'
• impl @gtema update version of github provenance action

This release contains several important bugfixes. This primarily ensures that GitHub Actions builds work again, but there are also several fixes for minor configuration issues and updates to the runtime dependencies for the npm installer.

Fixes

• impl @mistydemeo
  • Bump Rust version to 1.87.0
  • feat: synchronize runners with github
  • fix: use --locked for from-git installs
• impl @Lee-W feat: update ubuntu version from 20.04 to 22.04
• impl @jackkleeman Support publishing prereleases even if there are only custom publish jobs
• impl @geofft fix: Do not report shadowed binaries when no binary exists
• impl @rdbisme Fix typo for installer base url override
• impl @CramBL fix ignored configuration key 'msvc-crt-static'
• impl @gtema update version of github provenance action

Nothing Yet!

Fixed a bug where dist migrate would delete dist-workspace.toml

A bug was introduced in 0.27.0 where, instead of dist migrate never deleting dist-workspace.toml, it would always delete it. This has been fixed.

• impl @duckinator fix: avoid 'dist migrate' deleting dist-workspace.toml

Warn if a tool is "shadowed" on your PATH

Shell installers now check if the tool it installed is shadowed by another tool on your path.

• impl @mistydemeo feat: check for shadowed binaries in shell installer

Prefer GitHub over Axo Releases

This release switches the preferred installation location to GitHub. In prior releases, if the user had both GitHub Releases and Axo Releases selected, generated installation scripts and receipts would prefer to fetch from GitHub.

• impl @mistydemeo feat: prioritize github over axo

We're back once more with a little holiday gift for you. This release contains a few new features and fixes.

Support for XDG_CONFIG_HOME

We've always supported standard OS configuration paths. This release adds support for XDG_CONFIG_HOME, an environment variable defined in the XDG Base Directory Specification, in order to allow users to override that default. We support this on all platforms, even Windows. Installers created with dist 0.27.0 or later will respect this environment variable and place install receipts in that path; updaters using axoupdater 0.9.0 or later will respect that variable when searching for the receipt.

• impl @brennanfee, @mistydemeo feat: support XDG_CONFIG_HOME

Improved handling of missing build dependencies

While we've always reported if mandatory tools are missing, we previously would only check for their existence right before we'd use them. This made it hard to judge exactly when required tools might be absent, and meant we'd only report about a single tool at a time. With this release, we now check for these tools up front and we check for every tool your build will need simultaneously. This allows us to tell you about every missing tool in one message, and before the builds themselves begin.

• impl @duckinator Fail early if required tools can't be found.

Improved generic config handling

Since we shipped the new config format, dist-workspace.toml, we've been providing some spurious messages for non-Rust builds using just a dist.toml file. In this release, we now migrate users with dist.toml-alone apps to dist-workspace.toml. This conversion is automatic and requires no user input; it will happen when using dist init to upgrade to a new release.

• impl @mistydemeo feat: migrate dist.toml to dist-workspace.toml

Stabilizing the standalone updater we ship

In the past, we always shipped the latest version of the standalone updater provided via axoupdater. This meant that, if a new version of axoupdater was released after a given version of dist, your app would receive that latest version. As we've stabilized the updater's feature set, we feel that end users are deriving less benefit from this rolling release schedule and it would be more helpful to provide a fixed, known-good stable release instead.

Beginning with this release, dist will always package the same version of axoupdater when building and shipping your app. If you prefer the old behaviour, and would like to receive whatever's the latest, you can set always-use-latest-updater = true in your configuration.

• impl @mistydemeo feat: update axoupdater, fetch known-good version

It's been slightly longer than usual since our last release, and now we're back with a slightly larger than usual release! This version brings several major new features and improvements, including the long-requested Rust cross-compilation feature and support for a few different Rust dependency version tracking formats.

Builtin Rust cross-compilation support

You've all asked for it, and it's finally here! Previously, we only supported Rust cross-compilation on macOS. With this release, we've extended Rust cross-compilation support to Linux (using cargo-zigbuild and Windows (using cargo-xwin. For more information, see the docs.

We're also making use of this feature ourselves: we now build our aarch64 Linux binaries using this new tooling.

(Note: for technical reasons, cargo-zigbuild cross-compiles and cargo-auditable are currently mutually exclusive. Users can only enable one or the other. cargo-xwin builds and cargo-auditable can be used together.)

• impl @fasterthanlime, @mistydemeo Add cross-compilation support via cargo-zigbuild and cargo-xwin

Checksum verifications in shell installers

While we've always generated checksum information for binary tarballs/ZIPs, we only actually validated those checksums in the Homebrew installer. That changes with this release: we now embed checksum information into the shell installer and validate the tarball before unpacking it.

• impl @fasterthanlime Verify checksums in install.sh

cargo-auditable support

We've added integrated support for the Rust Secure Code Working Group's cargo-auditable, which embeds dependency information in your Rust binaries and makes it possible for users to check your binaries for the full dependency tree they were built from with their precise versions. For more information, see our docs and the docs for the cargo-audit tool.

(Note: for technical reasons, this feature and cargo-zigbuild cross-compiles are currently mutually exclusive. Users can only enable one or the other. cargo-xwin builds and cargo-auditable can be used together.)

• impl @duckinator Add cargo-auditable config option

cargo-cyclonedx support

We've also added support for generating CyloneDX Software Bill of Materials (SBOM) files for Rust projects. We've implemented this using the cargo-cyclonedx tool. Unlike the cargo-auditable support above, which embeds dependency information directly into your binaries, this data is stored as a standalone bom.xml file which is distributed with your software. Users can then validate that SBOM file using any compatible CycloneDX tool.

• impl @duckinator Add cargo-cyclonedx config option.

OmniBOR support

Rounding out this release's new security features, we've added support for generating OmniBOR artifact IDs. We implement this using the omnibor-cli tool. For more information, see the docs.

• impl @duckinator Add option to generate omnibor artifact IDs.

Strict error catching in template rendering

We've tightened up error handling for undefined values in templates when we create things such as installer scripts and the GitHub Actions YAML config. Any errors that occur here are dist's fault, not users' fault, and stricter error handling ensures we get the information we need to fix dist bugs and make this code more reliable. This was made possible thanks to a contribution by @fasterthanlime to the minijinja project, ensuring that we get actionable messages for these kinds of errors.

• impl @fasterthanlime Enable jinja "strict undefined behavior", fix templates, improve reporting

Per-target glibc version overrides

Although we autodetect the glibc version used by your software in order to check the minimum requirements during install, users who bypass our build mechanism and run a custom build job didn't get the benefit of this feature. To compensate, we've added support for manually specifying the glibc version your software needs. For more information, see the docs.

• impl @duckinator Allow per-target glibc version overrides.

Tag-parsing and library-only mode improvements

We've tightened up the tag parsing code, ensuring that a few edge cases are handled more predictably. The dist plan output is now clearer in workspaces with multiple versions, with better instruction text on how to resolve unclear situations. We've also made a small change to dist = false handling, which means that we now refuse to run if a release tag only matches a crate with dist = false instead of going ahead with single library mode.

• impl
  • @duckinator Avoid discarding tag information, so "dist plan --tag={name}-{version}" works.
  • @mistydemeo Disable single-library mode for dist=false
  • @alilleybrinker Permit tag incoherence for dist plan

Improved pc-windows-gnu support

Although we've previously supported pc-windows-gnu builds for Rust software, we had a few notable gotchas: we wouldn't install choco dependencies, and PowerShell installers couldn't install them. We've fixed both of these issues this release, ensuring these targets are a bit closer to pc-windows-msvc in support.

• impl @mistydemeo feat: add pc-windows-gnu to powershell installers

Fixes

• @pnehrer Explicitly set manifest path when building MSI with WiX

It's been slightly longer than usual since our last release, and now we're back with a slightly larger than usual release! This version brings several major new features and improvements, including the long-requested Rust cross-compilation feature and support for a few different Rust dependency version tracking formats.

Builtin Rust cross-compilation support

You've all asked for it, and it's finally here! Previously, we only supported Rust cross-compilation on macOS. With this release, we've extended Rust cross-compilation support to Linux (using cargo-zigbuild and Windows (using cargo-xwin. For more information, see the docs.

We're also making use of this feature ourselves: we now build our aarch64 Linux binaries using this new tooling.

(Note: for technical reasons, cargo-zigbuild cross-compiles and cargo-auditable are currently mutually exclusive. Users can only enable one or the other. cargo-xwin builds and cargo-auditable can be used together.)

• impl @fasterthanlime, @mistydemeo Add cross-compilation support via cargo-zigbuild and cargo-xwin

Checksum verifications in shell installers

While we've always generated checksum information for binary tarballs/ZIPs, we only actually validated those checksums in the Homebrew installer. That changes with this release: we now embed checksum information into the shell installer and validate the tarball before unpacking it.

• impl @fasterthanlime Verify checksums in install.sh

cargo-auditable support

We've added integrated support for the Rust Secure Code Working Group's cargo-auditable, which embeds dependency information in your Rust binaries and makes it possible for users to check your binaries for the full dependency tree they were built from with their precise versions. For more information, see our docs and the docs for the cargo-audit tool.

(Note: for technical reasons, this feature and cargo-zigbuild cross-compiles are currently mutually exclusive. Users can only enable one or the other. cargo-xwin builds and cargo-auditable can be used together.)

• impl @duckinator Add cargo-auditable config option

cargo-cyclonedx support

We've also added support for generating CyloneDX Software Bill of Materials (SBOM) files for Rust projects. We've implemented this using the cargo-cyclonedx tool. Unlike the cargo-auditable support above, which embeds dependency information directly into your binaries, this data is stored as a standalone bom.xml file which is distributed with your software. Users can then validate that SBOM file using any compatible CycloneDX tool.

• impl @duckinator Add cargo-cyclonedx config option.

OmniBOR support

Rounding out this release's new security features, we've added support for generating OmniBOR artifact IDs. We implement this using the omnibor-cli tool. For more information, see the docs.

• impl @duckinator Add option to generate omnibor artifact IDs.

Strict error catching in template rendering

We've tightened up error handling for undefined values in templates when we create things such as installer scripts and the GitHub Actions YAML config. Any errors that occur here are dist's fault, not users' fault, and stricter error handling ensures we get the information we need to fix dist bugs and make this code more reliable. This was made possible thanks to a contribution by @fasterthanlime to the minijinja project, ensuring that we get actionable messages for these kinds of errors.

• impl @fasterthanlime Enable jinja "strict undefined behavior", fix templates, improve reporting

Per-target glibc version overrides

Although we autodetect the glibc version used by your software in order to check the minimum requirements during install, users who bypass our build mechanism and run a custom build job didn't get the benefit of this feature. To compensate, we've added support for manually specifying the glibc version your software needs. For more information, see the docs.

• impl @duckinator Allow per-target glibc version overrides.

Tag-parsing and library-only mode improvements

We've tightened up the tag parsing code, ensuring that a few edge cases are handled more predictably. The dist plan output is now clearer in workspaces with multiple versions, with better instruction text on how to resolve unclear situations. We've also made a small change to dist = false handling, which means that we now refuse to run if a release tag only matches a crate with dist = false instead of going ahead with single library mode.

• impl
  • @duckinator Avoid discarding tag information, so "dist plan --tag={name}-{version}" works.
  • @mistydemeo Disable single-library mode for dist=false
  • @alilleybrinker Permit tag incoherence for dist plan

Improved pc-windows-gnu support

Although we've previously supported pc-windows-gnu builds for Rust software, we had a few notable gotchas: we wouldn't install choco dependencies, and PowerShell installers couldn't install them. We've fixed both of these issues this release, ensuring these targets are a bit closer to pc-windows-msvc in support.

• impl @mistydemeo feat: add pc-windows-gnu to powershell installers

Fixes

• @pnehrer Explicitly set manifest path when building MSI with WiX

It's been slightly longer than usual since our last release, and now we're back with a slightly larger than usual release! This version brings several major new features and improvements, including the long-requested Rust cross-compilation feature and support for a few different Rust dependency version tracking formats.

Builtin Rust cross-compilation support

You've all asked for it, and it's finally here! Previously, we only supported Rust cross-compilation on macOS. With this release, we've extended Rust cross-compilation support to Linux (using cargo-zigbuild and Windows (using cargo-xwin. For more information, see the docs.

We're also making use of this feature ourselves: we now build our aarch64 Linux binaries using this new tooling.

(Note: for technical reasons, cargo-zigbuild cross-compiles and cargo-auditable are currently mutually exclusive. Users can only enable one or the other. cargo-xwin builds and cargo-auditable can be used together.)

• impl @fasterthanlime, @mistydemeo Add cross-compilation support via cargo-zigbuild and cargo-xwin

Checksum verifications in shell installers

While we've always generated checksum information for binary tarballs/ZIPs, we only actually validated those checksums in the Homebrew installer. That changes with this release: we now embed checksum information into the shell installer and validate the tarball before unpacking it.

• impl @fasterthanlime Verify checksums in install.sh

cargo-auditable support

We've added integrated support for the Rust Secure Code Working Group's cargo-auditable, which embeds dependency information in your Rust binaries and makes it possible for users to check your binaries for the full dependency tree they were built from with their precise versions. For more information, see our docs and the docs for the cargo-audit tool.

(Note: for technical reasons, this feature and cargo-zigbuild cross-compiles are currently mutually exclusive. Users can only enable one or the other. cargo-xwin builds and cargo-auditable can be used together.)

• impl @duckinator Add cargo-auditable config option

cargo-cyclonedx support

We've also added support for generating CyloneDX Software Bill of Materials (SBOM) files for Rust projects. We've implemented this using the cargo-cyclonedx tool. Unlike the cargo-auditable support above, which embeds dependency information directly into your binaries, this data is stored as a standalone bom.xml file which is distributed with your software. Users can then validate that SBOM file using any compatible CycloneDX tool.

• impl @duckinator Add cargo-cyclonedx config option.

OmniBOR support

Rounding out this release's new security features, we've added support for generating OmniBOR artifact IDs. We implement this using the omnibor-cli tool. For more information, see the docs.

• impl @duckinator Add option to generate omnibor artifact IDs.

Strict error catching in template rendering

We've tightened up error handling for undefined values in templates when we create things such as installer scripts and the GitHub Actions YAML config. Any errors that occur here are dist's fault, not users' fault, and stricter error handling ensures we get the information we need to fix dist bugs and make this code more reliable. This was made possible thanks to a contribution by @fasterthanlime to the minijinja project, ensuring that we get actionable messages for these kinds of errors.

• impl @fasterthanlime Enable jinja "strict undefined behavior", fix templates, improve reporting

Per-target glibc version overrides

Although we autodetect the glibc version used by your software in order to check the minimum requirements during install, users who bypass our build mechanism and run a custom build job didn't get the benefit of this feature. To compensate, we've added support for manually specifying the glibc version your software needs. For more information, see the docs.

• impl @duckinator Allow per-target glibc version overrides.

Tag-parsing and library-only mode improvements

We've tightened up the tag parsing code, ensuring that a few edge cases are handled more predictably. The dist plan output is now clearer in workspaces with multiple versions, with better instruction text on how to resolve unclear situations. We've also made a small change to dist = false handling, which means that we now refuse to run if a release tag only matches a crate with dist = false instead of going ahead with single library mode.

• impl
  • @duckinator Avoid discarding tag information, so "dist plan --tag={name}-{version}" works.
  • @mistydemeo Disable single-library mode for dist=false
  • @alilleybrinker Permit tag incoherence for dist plan

Improved pc-windows-gnu support

Although we've previously supported pc-windows-gnu builds for Rust software, we had a few notable gotchas: we wouldn't install choco dependencies, and PowerShell installers couldn't install them. We've fixed both of these issues this release, ensuring these targets are a bit closer to pc-windows-msvc in support.

• impl @mistydemeo feat: add pc-windows-gnu to powershell installers

Fixes

• @pnehrer Explicitly set manifest path when building MSI with WiX

It's been slightly longer than usual since our last release, and now we're back with a slightly larger than usual release! This version brings several major new features and improvements, including the long-requested Rust cross-compilation feature and support for a few different Rust dependency version tracking formats.

Builtin Rust cross-compilation support

You've all asked for it, and it's finally here! Previously, we only supported Rust cross-compilation on macOS. With this release, we've extended Rust cross-compilation support to Linux (using cargo-zigbuild and Windows (using cargo-xwin. For more information, see the docs.

We're also making use of this feature ourselves: we now build our aarch64 Linux binaries using this new tooling.

(Note: for technical reasons, cargo-zigbuild cross-compiles and cargo-auditable are currently mutually exclusive. Users can only enable one or the other. cargo-xwin builds and cargo-auditable can be used together.)

• impl @fasterthanlime, @mistydemeo Add cross-compilation support via cargo-zigbuild and cargo-xwin

Checksum verifications in shell installers

While we've always generated checksum information for binary tarballs/ZIPs, we only actually validated those checksums in the Homebrew installer. That changes with this release: we now embed checksum information into the shell installer and validate the tarball before unpacking it.

• impl @fasterthanlime Verify checksums in install.sh

cargo-auditable support

We've added integrated support for the Rust Secure Code Working Group's cargo-auditable, which embeds dependency information in your Rust binaries and makes it possible for users to check your binaries for the full dependency tree they were built from with their precise versions. For more information, see our docs and the docs for the cargo-audit tool.

(Note: for technical reasons, this feature and cargo-zigbuild cross-compiles are currently mutually exclusive. Users can only enable one or the other. cargo-xwin builds and cargo-auditable can be used together.)

• impl @duckinator Add cargo-auditable config option

cargo-cyclonedx support

We've also added support for generating CyloneDX Software Bill of Materials (SBOM) files for Rust projects. We've implemented this using the cargo-cyclonedx tool. Unlike the cargo-auditable support above, which embeds dependency information directly into your binaries, this data is stored as a standalone bom.xml file which is distributed with your software. Users can then validate that SBOM file using any compatible CycloneDX tool.

• impl @duckinator Add cargo-cyclonedx config option.

OmniBOR support

Rounding out this release's new security features, we've added support for generating OmniBOR artifact IDs. We implement this using the omnibor-cli tool. For more information, see the docs.

• impl @duckinator Add option to generate omnibor artifact IDs.

Strict error catching in template rendering

We've tightened up error handling for undefined values in templates when we create things such as installer scripts and the GitHub Actions YAML config. Any errors that occur here are dist's fault, not users' fault, and stricter error handling ensures we get the information we need to fix dist bugs and make this code more reliable. This was made possible thanks to a contribution by @fasterthanlime to the minijinja project, ensuring that we get actionable messages for these kinds of errors.

• impl @fasterthanlime Enable jinja "strict undefined behavior", fix templates, improve reporting

Per-target glibc version overrides

Although we autodetect the glibc version used by your software in order to check the minimum requirements during install, users who bypass our build mechanism and run a custom build job didn't get the benefit of this feature. To compensate, we've added support for manually specifying the glibc version your software needs. For more information, see the docs.

• impl @duckinator Allow per-target glibc version overrides.

Tag-parsing and library-only mode improvements

We've tightened up the tag parsing code, ensuring that a few edge cases are handled more predictably. The dist plan output is now clearer in workspaces with multiple versions, with better instruction text on how to resolve unclear situations. We've also made a small change to dist = false handling, which means that we now refuse to run if a release tag only matches a crate with dist = false instead of going ahead with single library mode.

• impl
  • @duckinator Avoid discarding tag information, so "dist plan --tag={name}-{version}" works.
  • @mistydemeo Disable single-library mode for dist=false
  • @alilleybrinker Permit tag incoherence for dist plan

Improved pc-windows-gnu support

Although we've previously supported pc-windows-gnu builds for Rust software, we had a few notable gotchas: we wouldn't install choco dependencies, and PowerShell installers couldn't install them. We've fixed both of these issues this release, ensuring these targets are a bit closer to pc-windows-msvc in support.

• impl @mistydemeo feat: add pc-windows-gnu to powershell installers

Fixes

• @pnehrer Explicitly set manifest path when building MSI with WiX

Nothing Yet!

Nothing Yet!

Nothing Yet!

Nothing Yet!