In Nixpkgs we’ve seen several packages now using the PyO3 ecosystem of packages. Two of these,
setuptools-rust, allow one to build extension modules and/or executables written in Rust but distributed as a wheel.
Seeing rust being used this way is interesting, however, there is one issue that I think is problematic. Unfortunately, cargo is used not only to just build the rust code, but also to fetch dependencies. Indeed, as part of a build, dependencies are fetched. Cryptography is a common package that now also uses
setuptools-rust and indeed fetches dependencies.
How do other distributors intend to handle this? Does this follow the spirit of PEP 517/518? I know they don’t mention anything regarding fetching during a build. Would it make sense for a new PEP to require that? Given pip does some sandboxing, are there any ideas/plans to block network access as well (as we do in Nixpkgs)?
cc @konstin as author of maturin.