diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2017-05-17 18:35:33 +0200 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2017-05-17 18:35:33 +0200 |
commit | 7560fbf3d64eb4a5eb63149359967766b078006a (patch) | |
tree | a8d48575559464973bf9f8fbb1e185ede8593d6d /testing | |
parent | 53de4b4d9faa9e5fac4b484977817b3b88ebbd3a (diff) | |
download | aports-7560fbf3d64eb4a5eb63149359967766b078006a.tar.bz2 aports-7560fbf3d64eb4a5eb63149359967766b078006a.tar.xz |
testing/cargo: add note about downloading dependencies
Diffstat (limited to 'testing')
-rw-r--r-- | testing/cargo/APKBUILD | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/testing/cargo/APKBUILD b/testing/cargo/APKBUILD index 3ee8f4eb41..3089fecd36 100644 --- a/testing/cargo/APKBUILD +++ b/testing/cargo/APKBUILD @@ -16,8 +16,16 @@ makedepends="cmake curl-dev libgit2-dev libssh2-dev libressl-dev python2 zlib-de subpackages="$pkgname-doc $pkgname-bash-completion:bashcomp:noarch $pkgname-zsh-completion:zshcomp:noarch" -# NOTE: Cargo is self-hosted, so you need cargo to build cargo (ugh). -# TODO: Implement some support for verifying crates fetched by cargo! +# Note: Cargo is self-hosted, so you need cargo to build cargo (ugh). +# XXX: Cargo depends on many crates (Rust packages) and currently downloads +# them itself in the build phase. This quite violates our policy. However, +# unlike some other package managers, Cargo does not download arbitrary +# packages from the Internet without any verification. The source tarball +# includes file Cargo.lock that contains complete dependency tree with exact +# version and checksum for each crate . With --locked we force cargo to +# adhere to this file and verify checksums. So it provides the same +# guarantees as abuild. That said, for now it's exception only for cargo +# package and should not be applied to other rust packages! _cbuild="$CARCH-unknown-linux-musl" source="$pkgname-$pkgver.tar.gz::https://github.com/rust-lang/$pkgname/archive/$pkgver.tar.gz https://github.com/rust-lang/rust-installer/archive/$_installer_gitrev/rust-installer-$_installer_gitrev.tar.gz |