Just to tell that my concern was about making this checksum verification not mandatory, if the recipe didn't specify any checksum for crates, my modification will let it trough. If we want to make it mandatory, we just have to make the method "recommends_checksum" in crate.py return True instead of False. Alex, when you talk about updating librsvg and cargo crate updater, do you mind elaborate? If there is some things to rework/add in my patches I'll be glad to do so (if you tell me what is expected) Le mer. 15 mars 2023, 18:43, Alex Kiernan a écrit : > On Wed, Mar 15, 2023 at 5:08 PM Martin Jansa > wrote: > > > > On Wed, Mar 15, 2023 at 4:50 PM Alexander Kanavin < > alex.kanavin@gmail.com> wrote: > >> > >> On Wed, 15 Mar 2023 at 16:03, Alex Kiernan > wrote: > >> > I really don't think this is the right direction, at least not by > >> > default. If a crate is your primary build artefact then this is > >> > useful: > >> > > >> > https://bugzilla.yoctoproject.org/show_bug.cgi?id=15012 > >> > > >> > But doing this for all the dependency crates we're just repeating > >> > what's in the Cargo.lock which should always be part of the primary > >> > artefact. > >> > >> Maybe cargo will verify (some) items against Cargo.lock. Maybe it > >> won't. Upstream cargo isn't something we develop, and it may add and > >> remove various exceptions and special cases. > >> > >> Anyway, we cannot actually trust cargo (unlike, say, git), and we need > >> to do our own checks, and keep the checksums in files external to the > >> source tree. This will free us from worrying about whether cargo > >> protects us from supply chain attacks properly or not. > > > > > > Also if bitbake fetcher detects unexpected checksum it can easily rename > the file in DL_DIR and try fetching it again, because that's what fetcher > does for other downloads and fetcher "owns" DL_DIR. > > > > If cargo complains about unexpected checksum, than cargo fails and user > will have to make sure that wrongly fetched crate is removed from DL_DIR. > > > > Regards, > > Okay, you're convincing me :) I've definitely tripped over that! > > I guess we need to update the cargo crate updater class and librsvg too. > > -- > Alex Kiernan >