path: root/testing
diff options
authorJakub Jirutka <jakub@jirutka.cz>2017-05-17 18:35:33 +0200
committerJakub Jirutka <jakub@jirutka.cz>2017-05-17 18:35:33 +0200
commit7560fbf3d64eb4a5eb63149359967766b078006a (patch)
treea8d48575559464973bf9f8fbb1e185ede8593d6d /testing
parent53de4b4d9faa9e5fac4b484977817b3b88ebbd3a (diff)
testing/cargo: add note about downloading dependencies
Diffstat (limited to 'testing')
1 files changed, 10 insertions, 2 deletions
diff --git a/testing/cargo/APKBUILD b/testing/cargo/APKBUILD
index 3ee8f4eb41..3089fecd36 100644
--- a/testing/cargo/APKBUILD
+++ b/testing/cargo/APKBUILD
@@ -16,8 +16,16 @@ makedepends="cmake curl-dev libgit2-dev libssh2-dev libressl-dev python2 zlib-de
-# NOTE: Cargo is self-hosted, so you need cargo to build cargo (ugh).
-# TODO: Implement some support for verifying crates fetched by cargo!
+# Note: Cargo is self-hosted, so you need cargo to build cargo (ugh).
+# XXX: Cargo depends on many crates (Rust packages) and currently downloads
+# them itself in the build phase. This quite violates our policy. However,
+# unlike some other package managers, Cargo does not download arbitrary
+# packages from the Internet without any verification. The source tarball
+# includes file Cargo.lock that contains complete dependency tree with exact
+# version and checksum for each crate . With --locked we force cargo to
+# adhere to this file and verify checksums. So it provides the same
+# guarantees as abuild. That said, for now it's exception only for cargo
+# package and should not be applied to other rust packages!