Do we need the `cargo` dependency?

crev-dev / cargo-crev

A cryptographically verifiable code review system for the cargo (Rust) package manager.

Apache License 2.0

2.1k stars 90 forks source link

Do we need the `cargo` dependency? #656

Open kornelski opened 1 year ago

kornelski commented 1 year ago

Should we drop the cargo dependency?

It's big and slow to compile.
Requires openssl, libgit2.
Has high MSRV.
Keeping up with Cargo's API changes is a chore, especially that there are also behavior changes.

I think we could rely on shelling out to command-line for cargo. Anybody running cargo crev is obviously going to have the cargo binary. A combination of cargo metadata, crates-index, and cargo-lock could be enough.

dpc commented 1 year ago

Yeah, it's probably a good idea.