I want to make a container with rust and all my favorite crates to build in an offline environment. Vendoring works except I need a lock file and I didn't keep one that matches the versions of the crates I got approved by legal. "No seriously none of it is copy left" doesn't really work for them and they won't trust cargo-deny. Rather than go through the forms and scans etc. I was thinking of making a program that generates a lock file from a vendor folder. The sha256sum should be of the crate not the folder though, should just be able to tgz it first? But first, does that already exist?
Alternatively I could put them all in the registry cache as crate files, but haven't figured out how to populate the index folder from a tarball out of github yet. Could just zip my index folder push it up to my github and point legal at that, but that whole approach seems hacky.
Lastly I could have a second image that uses git to be an alternative registry I patch/replace? in to the first container. Then just write something to generate the index json?
Have you considered using a private registry? That's what we do at $work for internal packages.
Can't you just specify exact versions in the manifest and then leave lock file generation to Cargo? (obviously you'll need to verify the versions manually.)
Sub dependencies allow the stuff they bring in to float up to new versions instead of fixing them. I wish that would only happen if something else in the build needed the newer version.
That is what I meant by the git method. Is there a better way to do a private registry now? I know artifactory makes it pretty easy, but I'd rather use something open.
cargo fetch --frozen should handle that
The git dumb http protocol makes it possible to serve a bare git repo with a webserver. This can be used as a read-only registry. There are a bunch of crates that offer read/write registry functionality but I haven't used any of them ($work pays for artifactory).
Alternatively the sparse registry protocol has been stabilized recently. But for publishing you'll still need an API service.
Given this is a container just for offline builds, read only isn't an issue. Sounds like git is a decent approach, thanks.
This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.