On Wed, Jan 11, 2017, at 06:03 AM, Henri Sivonen wrote: > Does that mean that crates under third_party/rust/ are going to have > their entire histories imported in the future? Currently, they only > have vendoring-time snapshots.
I'm unaware of any plans to do this. I'd expect us to have a distinction between: 1) Crates where Mozilla is the primary author but the repository of record is somewhere else like GitHub (like Servo). These will probably be vendored specially into somewhere other than third_party/rust as Servo is. There are other non-Rust projects that want this as well, such as Azure (the graphics library) and devtools. 2) Crates whose repository of record is mozilla-central. This is likely to be primarily Gecko glue code, like the nsstring[1] crate. 3) Crates where Mozilla is not the primary author, pulled in as dependencies from crates.io. These will continue to be vendored into third_party/rust. Note that crates.io currently doesn't require crates to specify a VCS repository or revision or anything like that, so I'm not sure it's completely tractable to vendor these dependencies with full history anyway. RE: your other point, we have a few bugs around verifying licensing on vendored crates, as well as implementing some sort of "trust checking" to verify what we're pulling in from crates.io: https://bugzilla.mozilla.org/show_bug.cgi?id=1316990 https://bugzilla.mozilla.org/show_bug.cgi?id=1322798 -Ted 1. https://dxr.mozilla.org/mozilla-central/source/xpcom/rust/nsstring _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
