Hi, I'm the maintainer of the pkgsrc package for routinator, ref. https://github.com/NetBSD/pkgsrc/tree/trunk/net/routinator
In pkgsrc we have code to extract cargo dependencies, to download them in a separate "fetch" phase, checksum all the constituent components and verify that none of the components have changed since the program was packaged. As part of this there has always been an implicit policy to disallow "downloads" during the "build" phase, for several reasons: * Components may change in unverified manners * The build system may be offline * The build may produce different results compared to what it did when the program was packaged and recently constructs were added to pkgsrc to enforce this "no downloads during the build phase" by setting a proxy URL with a non-resolvable host name during that phase. And ... of course, routinator trips up over this check. The build.rs program in the routinator-ui crate has explicit code to itself download routinator-ui-build.tar.gz from github, and this would then constitute a violation of the above rules. I guess there are "reasons" why this code is there, and the routinator-ui-build.tar.gz contents can't be referred to by an entry in a Cargo.toml file? It is however annoying if not to say disconcerning that we can't verify all the constituent components. Can anything be done to routinator to not violate the "no download during build phase" rule? Best regards, - HÃ¥vard -- RPKI mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/rpki
