On Thu, 22 May 2025 07:44:02 -0300 Alexandre wrote: > But I could still use some insights about cargo and how (whether) it's > used in Linux. I'm concerned about builds downloading pieces of > software from unreviewed components in external repositories, but I > don't know how to recognize this possibility.
these new "modern" tool-chains (rust, golang, javascript, python, etc) typically sport a manifest file declaring dependencies somewhere in the sources - but one simple way is to try compiling on a host without networking, and wait until the first download fails - alternatively, enable networking and log network activity during the build i think it is a bit more than a "possibility" - it is nearly a certainty - as most of rust's libraries are not packaged in distos, rust sources usually have some dependencies which are not installed on the host and not available in its repos - i suspect that is is quite rare to see any non-trivial rust application which can compile OOTB on any distro, unless the distro packages all of its rust dependencies - it is often hundreds of them, and usually all of those would be packaged only to satisfy that one dependent application (probably not worth the effort) - that is the main reason why there are very few programs written in rust, golang, etc in the repos of distros besides undeclared sources, i have observed rust deciding that it must also download a different rust binary to replace _itself_ just before compilation begins - so apparently, if the build recipe does nor approve of the host's rust, rust would _always_ try to download _something_ that you did not have when the build began, even injecting new binaries into the tool-chain _______________________________________________ linux-libre mailing list [email protected] http://www.fsfla.org/cgi-bin/mailman/listinfo/linux-libre
