| Related: we're wondering how to use Rust because currently all non-Rust dependencies in our org are pulled from: - corporate source code control systems - corporate central repositories - caching/proxying immutable repositories These ensure all projects are built from known sources. We _know_ we can get consistent builds. When using Cargo: - Project owners update projects and don't bump the version. New bugs / security problems could be injected even though we haven't changed a thing internally. - crates.io isn't always up. - Trust: we legally can not trust (PCI compliance violations - 2015 rules (viral) ) the public crates.io repository. Besides PCI compliance, it's not possible for crates.io to guarantee perfect security (so many reasons, obviously). * I'm hoping folks who have addressed this issue (or are addressing it, or are planning on addressing it) would comment. |
You can't update a crate on crates.io without bumping the version. Once a version is published, it cannot be removed. (It can be "yanked," but even yanking it does not make it completely inaccessible.)
> These ensure all projects are built from known sources. We _know_ we can get consistent builds.
Cargo isn't coupled to crates.io. You can run your own registry index. (Note the `[registry]` config section: http://doc.crates.io/config.html) --- All of the code that powers crates.io is open source. On top of that, crate dependencies can be specified via git URLs or locations on disk. Repeatable builds are well supported IMO.