Disable mandatory cargo file checksums for vendored crates

arachsys · arachsys · commit bdc6635b5e14 · 2024-09-11T19:43:49.000+01:00
Dependency downloads can be separated from the build phase of a rust
package using cargo vendor. However, cargo obstructs patching of vendored
crates by enforcing file checksums on their contents during compilation.

Like many other distributions, we have worked around this with an ugly
sed hack, rewriting the .cargo-checksum.json files to remove the file
checksums when they are invalidated.

Instead, fix the obnoxious upstream behaviour properly by ignoring
file checksums for vendored crates unless verification is specifically
requested by setting CARGO_VENDOR_VERIFY=1 in the environment.
diff --git a/rust/build b/rust/build
@@ -7,15 +7,14 @@ check() {
 
 prepare() {
   unpack https://static.rust-lang.org/dist/rustc-1.81.0-src.tar.gz
-  sed -i -E 'H;1h;$!d;x;s/("files"\s*:\s*\{)("([^"\\]|\\.)*"|[^"}])*/\1/' \
-    vendor/*/.cargo-checksum.json
   apply curl.diff
   apply libexec.diff
   apply libressl.diff
   apply system.diff
   apply target.diff
+  apply verify.diff
   apply version.diff
-  tree cd8c873858b19e4981735e42cbd05f750f3467c662a8f45c75f9fc24584ccccc
+  tree cab116209fd67c0e218f3a68b4da36a3d0867a32abe18b6755821bb6d38c03a8
 }
 
 build() {
diff --git a/rust/verify.diff b/rust/verify.diff
@@ -0,0 +1,21 @@
+diff --git a/src/tools/cargo/src/cargo/sources/directory.rs b/src/tools/cargo/src/cargo/sources/directory.rs
+index 6fff8ed2..a21555b3 100644
+--- a/src/tools/cargo/src/cargo/sources/directory.rs
++++ b/src/tools/cargo/src/cargo/sources/directory.rs
+@@ -1,4 +1,5 @@
+ use std::collections::HashMap;
++use std::env;
+ use std::fmt::{self, Debug, Formatter};
+ use std::path::{Path, PathBuf};
+ use std::task::Poll;
+@@ -230,6 +231,10 @@ impl<'gctx> Source for DirectorySource<'gctx> {
+             anyhow::bail!("failed to find entry for `{}` in directory source", id);
+         };
+ 
++        if env::var("CARGO_VENDOR_VERIFY").map_or(true, |v| v == "0") {
++            return Ok(())
++        }
++
+         for (file, cksum) in cksum.files.iter() {
+             let file = pkg.root().join(file);
+             let actual = Sha256::new()
