New comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/43233#issuecomment-1494026792

Comment:
We don't handle that at all yet. We're building rust packages with [`cargo auditable`](https://github.com/rust-secure-code/cargo-auditable) to get some visibility on such issues, so that we can detect rustsec issues from a running system and not only at build time, but we don't have a clear process for monitoring this yet.

With regards to patching the Cargo.lock file: We current patch that file in 19 packages, but we don't do that by manually patching in the lockfile, we do that by running `cargo update --package <package we're updating>@<version we're updating from> --precise <version we're updating to>`. This has the slight disadvantage of not including a checksum, but crates.io does not allow changing versions so it's not a big drawback, but at the same time it's way easier to handle than Cargo.lock diffs.