I just found the policy is updated and I now understand why GitHub matters
in your opinion. Thanks for the clarification, I forgot this fact.
> CRAN does not regard github.com (which hosts the index of crates.io) as
sufficiently reliable.
The good news is that, as of Rust 1.68, Cargo supports th
Simin,
Sorry that my question was not clear. Let me clarify.
I think we all agree that "cargo vendor" is the primary option. Since
downloading without explicit permission is not allowed on CRAN in general,
it's reasonable. I'm happy that the instructions will describe it clearly.
But, some R pac
The concerns over github going away (!!) (or altering references, tags,
releases, ...) may be somewhat alleviated by Software Heritage [1] covering
and 'preserving' it. FWIW I briefly spoke about that iniative and a possible
CRAN connection at useR! in Toulouse four years ago [2].
I think I und
> On Jul 14, 2023, at 11:19 AM, Hadley Wickham wrote:
>
>>> If CRAN cannot trust even the official one of Rust, why does CRAN have Rust
>>> at all?
>>>
>>
>> I don't see the connection - if you downloaded something in the past it
>> doesn't mean you will be able to do so in the future. And
On 13/07/2023 7:19 p.m., Hadley Wickham wrote:
If CRAN cannot trust even the official one of Rust, why does CRAN have Rust at
all?
I don't see the connection - if you downloaded something in the past it doesn't
mean you will be able to do so in the future. And CRAN has Rust because it
sound
> > If CRAN cannot trust even the official one of Rust, why does CRAN have Rust
> > at all?
> >
>
> I don't see the connection - if you downloaded something in the past it
> doesn't mean you will be able to do so in the future. And CRAN has Rust
> because it sounded like a good idea to allow pac
Yutani,
[moving back to the original thread, please don't cross-post]
> On Jul 13, 2023, at 3:34 PM, Hiroaki Yutani wrote:
>
> Hi Simon,
>
> Thanks for the response. I thought
>
>> download a specific version from a secure site and check that the
> download is the expected code by some sort
> > it is not expected to use cargo to resolve them from random (possibly
> inaccessible) places
>
> Yes, I agree with you. So, I suggested the possibility of forbidding the
> Git dependency. Or, do you call crates.io, Rust's official repository,
> "random places"? If CRAN cannot trust even the off
Thank you for the correction. I see.
Best,
Yutani
2023年7月13日(木) 16:08 Tomas Kalibera :
>
> On 7/13/23 05:08, Hiroaki Yutani wrote:
> > I actually use cargo vendor.
> >
> >
> https://github.com/yutannihilation/string2path/blob/main/src/rust/vendor.sh
> >
> > One thing to note is that, prior to R
On 7/13/23 05:08, Hiroaki Yutani wrote:
I actually use cargo vendor.
https://github.com/yutannihilation/string2path/blob/main/src/rust/vendor.sh
One thing to note is that, prior to R 4.3.0, the vendored directories hit
the Windows' path limit so I had to put them into a TAR file. I haven't
te
Hi Simon,
Thanks for the response. I thought
> download a specific version from a secure site and check that the
download is the expected code by some sort of checksum
refers to the usual process that's done by Cargo automatically. If it's
not, I think the policy should have a clear explanation.
I actually use cargo vendor.
https://github.com/yutannihilation/string2path/blob/main/src/rust/vendor.sh
One thing to note is that, prior to R 4.3.0, the vendored directories hit
the Windows' path limit so I had to put them into a TAR file. I haven't
tested on R 4.3.0, but probably this problem i
> On 13/07/2023, at 2:50 PM, Kevin Ushey wrote:
>
> Package authors could use 'cargo vendor' to include Rust crate sources
> directly in their source R packages. Would that be acceptable?
>
Yes, that is exactly what was suggested in the original thread.
Cheers,
Simon
> Presumedly, the
Package authors could use 'cargo vendor' to include Rust crate sources
directly in their source R packages. Would that be acceptable?
Presumedly, the vendored sources would be built using the versions
specified in an accompanying Cargo.lock as well.
https://doc.rust-lang.org/cargo/commands/cargo-
Yutani,
I'm not quite sure your reading fully matches the intent of the policy.
Cargo.lock is not sufficient, it is expected that the package will provide
*all* the sources, it is not expected to use cargo to resolve them from random
(possibly inaccessible) places. So the package author is expe
15 matches
Mail list logo
