{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiaefaqa2xb3ud3k5porogpsvp255oy7i4xpfagxlw24ragyssmdva",
    "uri": "at://did:plc:ivbknywyskln22er3nkssdhl/app.bsky.feed.post/3mkm2p3p3ifg2"
  },
  "path": "/t/easily-inspect-dependencies/24200#post_7",
  "publishedAt": "2026-04-29T01:55:12.000Z",
  "site": "https://internals.rust-lang.org",
  "tags": [
    "Consider making the `src` cache read-only. · Issue #9455 · rust-lang/cargo · GitHub"
  ],
  "textContent": "Rudxain:\n\n> It doesn't have to be about security since the very beggining. Just an easy way to see docs and implementation details without having to re-download data. The (dep/lib/bin) docs don't (and shouldn't) specify all impl details, so being able to use `cargo` (instead of RA/r-a) to find those details would be nice.\n\nWhat do you mean \"without having to redownload\"?\n\nRudxain:\n\n> This suggests that mitigating supply-chain attacks should also be important to Cargo\n\nThis is still very abstract. Why does opening the files locally in this way part of supply chain security?\n\nRudxain:\n\n> epage:\n>\n>> cache read-only but we've had problems with that\n>\n> Understood . Could this be improved in the next edition? or is it a portability limitation because of the many platforms where Cargo is officially supported?\n\nI don't remember the details. The issue is Consider making the `src` cache read-only. · Issue #9455 · rust-lang/cargo · GitHub\n\nOne problem I can see is build scripts copying data or doing other stuff. Build scripts are tricky with editions because an edition is local to a package but a build script's interactions with cargo are at the progess level which encompasses all packages built into it. If a build script uses a helper library from a different edition, it should still work.",
  "title": "Easily inspect dependencies"
}