[yakubin]

> As for Cargo, [...] I also found it unusable because it provided no way to check for the hash or signature of the dependencies that it downloads.

Afaik Cargo does it out of the box, based on Cargo.lock.

UPDATE: This doc page seems to confirm that: <https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lo...>

[h_anna_h]

I did not know about rev, thanks. Though, since there is no way to specify a signature you are forced to use potentially outdated packages.

[yakubin]

"cargo update" will update the packages along with Cargo.lock content. As for not updating them without a manual trigger, I consider it a feature, but I guess it's a matter of opinion.

[h_anna_h]

> "cargo update" will update the packages along with Cargo.lock content

Disregarding the rev attribute?

[yakubin]

This is the entire point of this command. It will update the rev attribute. What else would it be for?