diff options
Diffstat (limited to 'testing')
| -rw-r--r-- | testing/cargo/APKBUILD | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/testing/cargo/APKBUILD b/testing/cargo/APKBUILD index 3ee8f4eb41c..3089fecd360 100644 --- a/testing/cargo/APKBUILD +++ b/testing/cargo/APKBUILD @@ -16,8 +16,16 @@ makedepends="cmake curl-dev libgit2-dev libssh2-dev libressl-dev python2 zlib-de subpackages="$pkgname-doc $pkgname-bash-completion:bashcomp:noarch $pkgname-zsh-completion:zshcomp:noarch" -# NOTE: Cargo is self-hosted, so you need cargo to build cargo (ugh). -# TODO: Implement some support for verifying crates fetched by cargo! +# Note: Cargo is self-hosted, so you need cargo to build cargo (ugh). +# XXX: Cargo depends on many crates (Rust packages) and currently downloads +# them itself in the build phase. This quite violates our policy. However, +# unlike some other package managers, Cargo does not download arbitrary +# packages from the Internet without any verification. The source tarball +# includes file Cargo.lock that contains complete dependency tree with exact +# version and checksum for each crate . With --locked we force cargo to +# adhere to this file and verify checksums. So it provides the same +# guarantees as abuild. That said, for now it's exception only for cargo +# package and should not be applied to other rust packages! _cbuild="$CARCH-unknown-linux-musl" source="$pkgname-$pkgver.tar.gz::https://github.com/rust-lang/$pkgname/archive/$pkgver.tar.gz https://github.com/rust-lang/rust-installer/archive/$_installer_gitrev/rust-installer-$_installer_gitrev.tar.gz |