On Wed, Jan 24, 2024 at 01:50:55PM -0500, Kent Overstreet wrote: > > We can and should have our own review process when pulling in new > dependencies, but we shouldn't otherwise be making it difficult to use > crates.io dependencies just for the sake of it. One aspect I find overlooked is that downstream distros largely devendor Rust dependencies from packages. Fedora and Debian comes to mind. Which means that when Rust in the kernel is something that is turned on by downstream they would need to deal with these vendored dependencies. Is the intent here that `cargo` is pulling down dependencies from cargo.io or is it vendored as part of the source-tree but managed by cargo? Alternatively, is the dependencies included in the tarball? The kernel being self-contained is also quite a nice property, and I'm not sure if breaking this property because of cargo is a good enough reason? If you don't vendor it as part of the source-tree then the kernel build will require an network connection to build. There is also the security handling aspect of depending on cargo.io as any security issues in these dependencies would need to trigger kernel releases to ensure they are patched. I don't have any solutions, but I think there are a issues that needs to be dealt with when considering pulling down external dependencies. -- Morten Linderud PGP: 9C02FF419FECBE16
Attachment:
signature.asc
Description: PGP signature
