> Can we use cargo vendor?
>My understanding is that Debian policy >does not permit downloading
>during the build [0].
>Would it be acceptable to install the compiler from
https://rustup.rs/ during package building?
>> My understanding is that Debian policy does not permit downloading
during the build [0].
Ok, I suppose we have to live with distribution compiler. Though, it may make some old systems without rust 1.70.0 unsupportable.
>> According to this post [1] on the debian-rust mailing list, "vendoring should be avoided unless there is a very good reason not to".
>> The Debian Rust packaging team has a pretty comprehensive guide [2] and it looks like they have tooling to help assist with the packaging process.
I think we have a very good reason here - a lot of distributions of different versions with different libversions. Even making it just to be "compilable" would require tremendous effort, supporting it will be unmanageable.
I see no good reason not to use vendoring in case of "multiple distribution"-build process.
1. It's a tarboll artifact, released with main project, under the same release tag.
2. It is reproducible and has public hash, so it can be verified.
3. It allows local build, nothing has to be downloaded.
4. Consistent binary behavior across multiple distributions.
