Easily inspect dependencies

epage:

What do you mean "without having to redownload"?

I mean what Kornel suggested:

kornel:

Currently the easiest safe official method is to view code at https://docs.rs

To which I agree. But there are caveats:

• Cache duplication : browser and cargo storing similar copies of the same thing
• Not local-first. Ideally, browsers should allow caching pages for arbitrary periods of time, and they should reuse cached copies when connection fails, but major browsers don't do that; I often see "security" and "document expiration" cited as excuses, but not all pages need that.
• user-agent sniffing : if crates.io and docs.rs get compromised, the source-code view of a crate in the web could look normal, but the one downloaded via cargo would have malicious code. This is the same reason why inspecting scripts in a browser before running curl https://sketchy-sus-site.com | sh is not enough validation, as curl has a different UA-string than the browser. This also answers the other question:

epage:

Why does opening the files locally in this way part of supply chain security?

because the "web-view" of a file might not match the version downloaded through other means.

epage:

Build scripts are tricky [...]

I see . Thanks for explaining