From 7560fbf3d64eb4a5eb63149359967766b078006a Mon Sep 17 00:00:00 2001
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Wed, 17 May 2017 18:35:33 +0200
Subject: [PATCH] testing/cargo: add note about downloading dependencies

---
 testing/cargo/APKBUILD | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/testing/cargo/APKBUILD b/testing/cargo/APKBUILD
index 3ee8f4eb41c3..3089fecd3602 100644
--- a/testing/cargo/APKBUILD
+++ b/testing/cargo/APKBUILD
@@ -16,8 +16,16 @@ makedepends="cmake curl-dev libgit2-dev libssh2-dev libressl-dev python2 zlib-de
 subpackages="$pkgname-doc
 	$pkgname-bash-completion:bashcomp:noarch
 	$pkgname-zsh-completion:zshcomp:noarch"
-# NOTE: Cargo is self-hosted, so you need cargo to build cargo (ugh).
-# TODO: Implement some support for verifying crates fetched by cargo!
+# Note: Cargo is self-hosted, so you need cargo to build cargo (ugh).
+# XXX: Cargo depends on many crates (Rust packages) and currently downloads
+#   them itself in the build phase. This quite violates our policy. However,
+#   unlike some other package managers, Cargo does not download arbitrary
+#   packages from the Internet without any verification. The source tarball
+#   includes file Cargo.lock that contains complete dependency tree with exact
+#   version and checksum for each crate . With --locked we force cargo to
+#   adhere to this file and verify checksums. So it provides the same
+#   guarantees as abuild. That said, for now it's exception only for cargo
+#   package and should not be applied to other rust packages!
 _cbuild="$CARCH-unknown-linux-musl"
 source="$pkgname-$pkgver.tar.gz::https://github.com/rust-lang/$pkgname/archive/$pkgver.tar.gz
 	https://github.com/rust-lang/rust-installer/archive/$_installer_gitrev/rust-installer-$_installer_gitrev.tar.gz
-- 
GitLab