Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
> If I'm not mistaken, it needs to download a package to know its dependencies and version constraints.
It's even worse than that. It needs to execute a python script (setup.py?) per package to get a list of it's dependencies and constraints. As that script may contain arbitrary platform-dependent logic (and in the case of ML-related packages often does), which means that it can be impossible to resolve dependencies for other platforms.
> Not sure how other package managers avoid that. Maybe the central package repositories can expose the dependencies metadata without needing to download the actual package?
Yes exactly.
For dependency resolution, cargo uses only a git based index[0] which is optimized to contain only the information required for dependency resolution (omitting other package metadata such as e.g. authors). So it syncs the git repository and after that it is just lookups in local files of the index.
Only after dependency resolution does it need to consult an external server for retrieval of the actual package contents.
[0]: https://github.com/rust-lang/crates.io-index
I use rdfind to deal with this: https://github.com/pauldreik/rdfind
Yes, that would be safer when available (although generally files within library dependencies are not modified I think?). It looks like fclones implements this, is faster and is written in Rust https://github.com/pkolaczk/fclones (the last is the most important point of course /s).
There is a similar idea being explored with https://github.com/crev-dev/cargo-crev - you trust a reviewer who reviews crates for trustworthiness, as well as other reviewers.
Related posts
- I don't care about cookies” extension bought by Avast, users jump ship
- I think there should be some type of crates vertification especially the popular ones?
- Security and Correctness in Wasmtime and Cranelift
- Carge-crev: A cryptographically verifiable code review system for Rust
- Carge-crev: A cryptographically verifiable code review system for Rust