|
From: | Ivan Petkov |
Subject: | [bug#36841] [PATCH v3] build/cargo-build-system: Patch cargo checksums. |
Date: | Wed, 31 Jul 2019 20:00:00 -0700 |
Hi Efraim,
Overall the patch makes sense to me! However, I am curious what are some of the situations in which you’re encountering a Cargo.lock file? In a system like guix which maintains all dependencies immutably and consistently, the Cargo.lock file is virtually useless (in fact it *could* be harmful if an application is released with a Cargo.lock file pinning to a particular vulnerable dependency which needs to be updated, requiring patching of the Cargo.lock file). I’d be willing to go as far as suggest we unconditionally delete any Cargo.lock file in source tarballs and let cargo generate its own replacement using the vendor directory we have supplied. (Imports from crates.io also never include a Cargo.lock file, so this may only pertain if we’re performing a direct source import…) —Ivan |
[Prev in Thread] | Current Thread | [Next in Thread] |