We want to import and build 3rd party Rust binaries -- such as cargo-vet itself.
We want to apply our own auditing criteria, not necessarily what is use by the upstream maintainers.
We want to leave the imported code untouched -- simply mirror the upstream repo, and not fork or maintain patches.
Without the ability to override the path to the supply-chain directory, we would have to fork or patch Config.toml to set [package.metadata.vet].
As a side note, the behavior of cargo vet with respect to the current working directory differs from that of cargo vendor. cargo vendor --manifest-path blah/Cargo.toml uses a vendor directory in the current working directory, while cargo vet init --manifest-path blah/Cargo.toml creates a supply-chain directory in the same directory as the manifest.
Our use case for this is the following:
cargo-vet
itself.Without the ability to override the path to the supply-chain directory, we would have to fork or patch Config.toml to set
[package.metadata.vet]
.As a side note, the behavior of
cargo vet
with respect to the current working directory differs from that ofcargo vendor
.cargo vendor --manifest-path blah/Cargo.toml
uses a vendor directory in the current working directory, whilecargo vet init --manifest-path blah/Cargo.toml
creates a supply-chain directory in the same directory as the manifest.