-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please consider making download
a non-default feature
#67
Comments
Hi Andlon, I have forked this crate to https:/njaard/mkl-src/ because of the apparent absence of the original author. To be clear, it's with complete respect to @termoshtt's work. May I ask you to re-submit your issue for the purposes of a paper trail and I will be pretty much immediately apply the change. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've raised a similar concern before in #29. The situation is much improved now since a local library is sought first, and there is a
download
feature which controls whether or not MKL might be downloaded if none was found.However, because the feature is default, it means that if any library depending on
intel-mkl-src
fails to setdefault-features = false
, thedownload
option will be enabled, and there is no way to turn it off (besides patching all dependencies that use it). There are several reasons why downloading is problematic or undesirable:Cargo.toml
could result in hundreds of megabytes in bandwidth for a single dependency. This is problematic for people on limited connections (slow / capped / mobile).intel-mkl-src
and modified the source code for evil purposes, in this case there would be a record of the release, and it would be detectable by inspecting the source code uploaded tocrates.io
. However, by just downloading a binary blob off of AWS there are no guarantees that a malicious actor hasn't switched out the binaries with malicious code. This would be much harder to detect.My suggestion is as follows:
download
non-default.I would love to hear your thoughts. For us this is currently a blocker from possibly diverting our attention from our own
mkl-sys
crate (not oncrates.io
) to instead contributing to this crate. I think for the sake of the ecosystem it would be great if we could consolidate efforts here.The text was updated successfully, but these errors were encountered: