From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:51850)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ht1Ky-0004Dy-1w
 for guix-patches@gnu.org; Wed, 31 Jul 2019 23:01:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ht1Kw-0004wq-RY
 for guix-patches@gnu.org; Wed, 31 Jul 2019 23:01:04 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:44517)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1ht1Kw-0004wk-M5
 for guix-patches@gnu.org; Wed, 31 Jul 2019 23:01:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ht1Kw-0000X3-Gf
 for guix-patches@gnu.org; Wed, 31 Jul 2019 23:01:02 -0400
Subject: [bug#36841] [PATCH v3] build/cargo-build-system: Patch cargo
 checksums.
Resent-Message-ID: <handler.36841.B36841.15646284161984@debbugs.gnu.org>
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_88EB5865-4A9A-4F0D-92C6-0ADA06951E77"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Ivan Petkov <ivanppetkov@gmail.com>
In-Reply-To: <20190730104658.GC21431@E2140>
Date: Wed, 31 Jul 2019 20:00:00 -0700
Message-Id: <6580AB76-AB78-4758-B71F-FE08687B9A33@gmail.com>
References: <20190729190422.6834-1-efraim@flashner.co.il>
 <FD0B92BC-A390-46AB-9AD4-2A3536BD681D@gmail.com>
 <20190730081757.GB21431@E2140> <20190730104658.GC21431@E2140>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 36841@debbugs.gnu.org


--Apple-Mail=_88EB5865-4A9A-4F0D-92C6-0ADA06951E77
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Efraim,

> On Jul 30, 2019, at 3:46 AM, Efraim Flashner <efraim@flashner.co.il> =
wrote:
>=20
> This one I'm pretty happy with. The checksums are only generated twice
> when there's a Cargo.lock file present and I've factored out the
> function to generate all the checksums. When that's moved to (guix =
build
> cargo-utils) it can be used by the rust compilers and icecat.

Overall the patch makes sense to me!

However, I am curious what are some of the situations in which you=E2=80=99=
re encountering
a Cargo.lock file? In a system like guix which maintains all =
dependencies immutably
and consistently, the Cargo.lock file is virtually useless (in fact it =
*could* be harmful
if an application is released with a Cargo.lock file pinning to a =
particular vulnerable
dependency which needs to be updated, requiring patching of the =
Cargo.lock file).

I=E2=80=99d be willing to go as far as suggest we unconditionally delete =
any Cargo.lock file
in source tarballs and let cargo generate its own replacement using the =
vendor
directory we have supplied. (Imports from crates.io <http://crates.io/> =
also never include a Cargo.lock
file, so this may only pertain if we=E2=80=99re performing a direct =
source import=E2=80=A6)

=E2=80=94Ivan=

--Apple-Mail=_88EB5865-4A9A-4F0D-92C6-0ADA06951E77
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">Hi =
Efraim,<br class=3D""><div><br class=3D""><blockquote type=3D"cite" =
class=3D""><div class=3D"">On Jul 30, 2019, at 3:46 AM, Efraim Flashner =
&lt;<a href=3D"mailto:efraim@flashner.co.il" =
class=3D"">efraim@flashner.co.il</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">This =
one I'm pretty happy with. The checksums are only generated twice<br =
class=3D"">when there's a Cargo.lock file present and I've factored out =
the<br class=3D"">function to generate all the checksums. When that's =
moved to (guix build<br class=3D"">cargo-utils) it can be used by the =
rust compilers and icecat.<br =
class=3D""></div></div></blockquote></div><br class=3D""><div =
class=3D"">Overall the patch makes sense to me!</div><div class=3D""><br =
class=3D""></div><div class=3D"">However, I am curious what are some of =
the situations in which you=E2=80=99re encountering</div><div class=3D"">a=
 Cargo.lock file? In a system like guix which maintains all dependencies =
immutably</div><div class=3D"">and consistently, the Cargo.lock file is =
virtually useless (in fact it *could* be harmful</div><div class=3D"">if =
an application is released with a Cargo.lock file pinning to a =
particular vulnerable</div><div class=3D"">dependency which needs to be =
updated, requiring patching of the Cargo.lock file).</div><div =
class=3D""><br class=3D""></div><div class=3D"">I=E2=80=99d be willing =
to go as far as suggest we unconditionally delete any Cargo.lock =
file</div><div class=3D"">in source tarballs and let cargo generate its =
own replacement using the vendor</div><div class=3D"">directory we have =
supplied. (Imports from <a href=3D"http://crates.io" =
class=3D"">crates.io</a>&nbsp;also never include a Cargo.lock</div><div =
class=3D"">file, so this may only pertain if we=E2=80=99re performing a =
direct source import=E2=80=A6)</div><div class=3D""><br =
class=3D""></div><div class=3D"">=E2=80=94Ivan</div></body></html>=

--Apple-Mail=_88EB5865-4A9A-4F0D-92C6-0ADA06951E77--