Hi Efraim, > On Jul 30, 2019, at 3:46 AM, Efraim Flashner wrote: > > This one I'm pretty happy with. The checksums are only generated twice > when there's a Cargo.lock file present and I've factored out the > function to generate all the checksums. When that's moved to (guix build > cargo-utils) it can be used by the rust compilers and icecat. Overall the patch makes sense to me! However, I am curious what are some of the situations in which you’re encountering a Cargo.lock file? In a system like guix which maintains all dependencies immutably and consistently, the Cargo.lock file is virtually useless (in fact it *could* be harmful if an application is released with a Cargo.lock file pinning to a particular vulnerable dependency which needs to be updated, requiring patching of the Cargo.lock file). I’d be willing to go as far as suggest we unconditionally delete any Cargo.lock file in source tarballs and let cargo generate its own replacement using the vendor directory we have supplied. (Imports from crates.io also never include a Cargo.lock file, so this may only pertain if we’re performing a direct source import…) —Ivan