-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide source tarballs with vendored dependencies? #425
Comments
The story is different depending on which part of the project you're talking about:
Could you tell me more about what your distro is packaging and what different approaches you're considering? |
In Slackbuilds, we've been debating how to go about packaging rust programs. So far there are 3 solutions we've come up with:
All of these methods except the last one result in a fragmented way of doing this, and puts unnecessary trust into the maintainer of the Slackbuild. This also doesn't just apply to Slackbuilds though, it also applies to other projects too (Such as opensuse above). Overrall, we'd like to avoid the nonsense that Debian and Fedora do where they attempt to package every single cargo package. If you guys provided a vendored tarball, it would prevent this whole Web of Trust issue =) |
As the maintainer of the Anyway, we wouldn’t use such a vendored tarball in Fedora, but it wouldn’t affect us. We package from the crates released on https://crates.io/crates/b3sum, which I think still would not contain vendored dependencies. If vendored dependencies did appear in released crates, we would just remove them. The only thing that would be a serious annoyance would be if crates contained vendored dependencies with legal or license issues, forcing us to modify the crates before uploading them to our lookaside cache. That seems unlikely here, but it’s certainly happened before. |
This would be extremely useful for package maintainers, as it means we don't have to package each dependency independently, also allows the program to be built completely offline, which is mandatory for many package managers due to Reproducibility concerns.
The text was updated successfully, but these errors were encountered: