GNU Linux-libre 6.15-rc7-gnu: rust help needed

[bill-auger]

On Thu, 22 May 2025 07:44:02 -0300 Alexandre wrote:
> But I could still use some insights about cargo and how (whether) it's
> used in Linux.  I'm concerned about builds downloading pieces of
> software from unreviewed components in external repositories, but I
> don't know how to recognize this possibility.

these new "modern" tool-chains (rust, golang, javascript, python, etc)
typically sport a manifest file declaring dependencies somewhere in the sources
- but one simple way is to try compiling on a host without networking, and wait
until the first download fails - alternatively, enable networking and log
network activity during the build

i think it is a bit more than a "possibility" - it is nearly a certainty - as
most of rust's libraries are not packaged in distos, rust sources usually have
some dependencies which are not installed on the host and not available in its
repos - i suspect that is is quite rare to see any non-trivial rust application
which can compile OOTB on any distro, unless the distro packages all of its
rust dependencies - it is often hundreds of them, and usually all of those
would be packaged only to satisfy that one dependent application (probably not
worth the effort) - that is the main reason why there are very few programs
written in rust, golang, etc in the repos of distros

besides undeclared sources, i have observed rust deciding that it must also
download a different rust binary to replace _itself_ just before compilation
begins - so apparently, if the build recipe does nor approve of the host's
rust, rust would _always_ try to download _something_ that you did not have
when the build began, even injecting new binaries into the tool-chain