Re: [PROPOSAL] Builder, a build system integration for Emacs

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

You've told me a lot of pertinent info about how Cargo works.
Thank you for going to that effort.  I think that due to your help
I now understand the issue enough to reach tentative conclusions.

The conclusions say that we have a problem.  The reasoning is
explained below.

  > > Where does cargo get the list of libraries to consider using?
  > >

  > The dependencies of a Rust program/library are specified (manually) by the 
  > author of that program/library, in a (structured) text file.  The source 
  > code of the libraries on which the program/library depends are downloaded 
  > (by Cargo) from the crates.io registry, and kept in a local cache 
  > (CARGO_HOME, by default $HOME/.cargo).

I expected it was something like this, but I didn't know.
Now I know.  Thanks.

  > No, some libraries/programs in the crates.io registry are non-free

I was worried about that.

So if you build a Rust program Foo, its dependencies will cause some libraries
to be loaded from crates.io, and their dependencies will cause other libraries 
to be loaded from crates.io, and so on recursively.  Is that right?

And if any of those libraries specifies a nonfree dependency, that nonfree code
will get compiled into the program Foo -- right?

If so, that puts freedom at risk.  It means that any time you build a
Rust program that you have not thoroughly studied, you don't know
whether it will incorporate nonfree software.

Have I made any mistake in this reasoning?

If it is correct so far, I think that implies that the standard
version of Cargo is unacceptable in a free system.  With the standard
version of Cargo, all the packages in crates.io are virtually include
in the system distro.  If crates.io contains any nonfree package,
then any system distro that includes Cargo virtually includes that
nonfree package, so it is not a free distro.

Our distros must be free -- so I think it follows that our distros
cannot include unmodified Cargo.

Have I made any mistake in this reasoning?

  >   Since a registry is just a git repository hosted
  > online or locally, you can fork the crates.io repository, and then you
  > are free to modify it as you see fit, such as filtering out unsuitable
  > libraries (e.g., those who transitively depend on any non-libre
  > libraries).

Maybe we need to make such a fork of crates.io, delete all nonfree
packages, and modify our version of Cargo to use that.

How do packages get approved for inclusion in crates.io?
There are both freedom issues and security issues.

I think we should move this to gnu-prog-disc.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)