top | item 31037825

(no title)

thecrm | 3 years ago

It doesn't just download random things. Cargo generates a Cargo.lock file with checksums and will make sure that those checksums match when building later on. It's about as safe as vendoring all dependencies while being far easier to work with (though tools like cargo-vendor do exist, of course).

Edit: for things like the kernel, vendoring dependencies is still probably not a bad idea, of course

discuss

humanrebar|3 years ago

What prevents a given URL from disappearing? Does that just break a particular source version of the Linux kernel?

What happens when a given dependency adds new kernel-inappropriate features? Are kernel devs going to act like distro maintainers and decide between forking, maintaining patch sets, etc.?

roca|3 years ago

All crate sources are stored in the crates.io package archive, which never deletes packages.

A dependency veering off in a direction you don't like is one of the risks of using someone else's code instead of writing it yourself. Cargo makes it easy to use forked dependencies, and forking a dependency is almost always less work than if you'd never used it and written the code yourself from the beginning. (And to be clear this is only a problem for future evolution; a crate author cannot remove or modify an already-published version of their crate.)

sanderjd|3 years ago

To the first question, obviously the sources of dependencies would be brought into the tree. This is easy and there's no reason I'm aware of not to do it for something like the Linux kernel.

To the second set of questions, how is this any different than any other dependency the kernel has? If the answer is "the kernel has no dependencies" then yeah, I'm very sympathetic to the argument that bringing in rust libraries is not a good reason to start having dependencies when none previously existed at all, but is that the case?

yw3410|3 years ago

You're forgetting about custom build scripts. Thankfully most of the core ones have moved off cloning dependencies for ffi purposes (think cloning an alsa-lib version for ffi), but it used to be super common.

unknown|3 years ago

[deleted]

CraigJPerry|3 years ago

The lock file is created but is not used by default.

You must specify --locked to get that behaviour

heftig|3 years ago

No, it is. Even without `--locked`, the Cargo.lock file is only updated when it no longer fulfills the Cargo.toml because the latter was edited (and then only making the minimal changes necessary), or explicitly using `cargo update`.

duckerude|3 years ago

That's true when running `cargo install` to install an application directly from crates.io, but not when running `cargo build` in an already checked-out repository.

goodpoint|3 years ago

> It doesn't just download random things.

That's exactly what it does. The developer is not really expected to thoroughly review the codebase of every dependency.

Just like javascript, all sort of supply chain attacks are made possible.

A single malicious library can sneak into large ecosystems easily.