testing/cargo: add note about downloading dependencies

testing/cargo/APKBUILD

@@ -16,8 +16,16 @@ makedepends="cmake curl-dev libgit2-dev libssh2-dev libressl-dev python2 zlib-de
 subpackages="$pkgname-doc
 	$pkgname-bash-completion:bashcomp:noarch
 	$pkgname-zsh-completion:zshcomp:noarch"
-# NOTE: Cargo is self-hosted, so you need cargo to build cargo (ugh).
-# TODO: Implement some support for verifying crates fetched by cargo!
+# Note: Cargo is self-hosted, so you need cargo to build cargo (ugh).
+# XXX: Cargo depends on many crates (Rust packages) and currently downloads
+#   them itself in the build phase. This quite violates our policy. However,
+#   unlike some other package managers, Cargo does not download arbitrary
+#   packages from the Internet without any verification. The source tarball
+#   includes file Cargo.lock that contains complete dependency tree with exact
+#   version and checksum for each crate . With --locked we force cargo to
+#   adhere to this file and verify checksums. So it provides the same
+#   guarantees as abuild. That said, for now it's exception only for cargo
+#   package and should not be applied to other rust packages!
 _cbuild="$CARCH-unknown-linux-musl"
 source="$pkgname-$pkgver.tar.gz::https://github.com/rust-lang/$pkgname/archive/$pkgver.tar.gz
 	https://github.com/rust-lang/rust-installer/archive/$_installer_gitrev/rust-installer-$_installer_gitrev.tar.gz