-
> If I'm not mistaken, it needs to download a package to know its dependencies and version constraints.
It's even worse than that. It needs to execute a python script (setup.py?) per package to get a list of it's dependencies and constraints. As that script may contain arbitrary platform-dependent logic (and in the case of ML-related packages often does), which means that it can be impossible to resolve dependencies for other platforms.
> Not sure how other package managers avoid that. Maybe the central package repositories can expose the dependencies metadata without needing to download the actual package?
Yes exactly.
For dependency resolution, cargo uses only a git based index[0] which is optimized to contain only the information required for dependency resolution (omitting other package metadata such as e.g. authors). So it syncs the git repository and after that it is just lookups in local files of the index.
Only after dependency resolution does it need to consult an external server for retrieval of the actual package contents.
[0]: https://github.com/rust-lang/crates.io-index
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
I use rdfind to deal with this: https://github.com/pauldreik/rdfind
-
Yes, that would be safer when available (although generally files within library dependencies are not modified I think?). It looks like fclones implements this, is faster and is written in Rust https://github.com/pkolaczk/fclones (the last is the most important point of course /s).
-
There is a similar idea being explored with https://github.com/crev-dev/cargo-crev - you trust a reviewer who reviews crates for trustworthiness, as well as other reviewers.
Related posts
-
I don't care about cookies” extension bought by Avast, users jump ship
-
I think there should be some type of crates vertification especially the popular ones?
-
Security and Correctness in Wasmtime and Cranelift
-
Carge-crev: A cryptographically verifiable code review system for Rust
-
Carge-crev: A cryptographically verifiable code review system for Rust