From 569691a555d52b81ac941fa2e819bafd85cb6469 Mon Sep 17 00:00:00 2001
From: Kayos <kayos@sulkta.com>
Date: Wed, 29 Apr 2026 14:42:40 -0700
Subject: [PATCH] Dockerfile: skip cargo-audit/cargo-deny install (both
 flaking); keep mypy types-requests fix

---
 Dockerfile | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9435874..89e7f04 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -213,25 +213,13 @@ RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --p
 # at runtime). The /caches/cargo/bin/ dir IS volume-shadowed by the host bind
 # mount, so cargo install artifacts there disappear inside the live container.
 USER root
-# Install cargo-deny via the prebuilt linux x86_64 binary from its GitHub
-# release — way more reliable than `cargo install` (which has flaked on
-# both cargo-audit's libgit2-sys dep AND on quote's build script under
-# the /caches/cargo volume contention). cargo-deny supersedes cargo-audit
-# for our purposes: `cargo deny check advisories` runs the same RustSec
-# advisory DB scan that cargo-audit does.
-RUN ARCH="$(dpkg --print-architecture)" \
-    && case "$ARCH" in \
-         amd64) DENY_TARGET=x86_64-unknown-linux-musl ;; \
-         arm64) DENY_TARGET=aarch64-unknown-linux-musl ;; \
-         *) echo "unsupported arch $ARCH for cargo-deny" && exit 1 ;; \
-       esac \
-    && DENY_VERSION=0.16.4 \
-    && curl -fsSL "https://github.com/EmbarkStudios/cargo-deny/releases/download/${DENY_VERSION}/cargo-deny-${DENY_VERSION}-${DENY_TARGET}.tar.gz" -o /tmp/cargo-deny.tgz \
-    && tar -xzf /tmp/cargo-deny.tgz -C /tmp \
-    && cp "/tmp/cargo-deny-${DENY_VERSION}-${DENY_TARGET}/cargo-deny" /usr/local/bin/cargo-deny \
-    && chmod 755 /usr/local/bin/cargo-deny \
-    && rm -rf /tmp/cargo-deny.tgz "/tmp/cargo-deny-${DENY_VERSION}-${DENY_TARGET}"
-USER crafter
+# cargo-audit + cargo-deny intentionally NOT installed in image — both
+# `cargo install` and prebuilt-binary-download approaches flaked
+# (libgit2-sys C bindings, quote build script under /caches/cargo
+# contention, and DNS flakes on github.com release downloads). Operators
+# who need rust audit can install at runtime once the container is up.
+# Future v0.2 work: bake into a precompiled stage or use the prebuilt
+# binary pattern with retries.
 
 # ============================================================
 # 15. Bun (curl install)