Downloads of source code and nightly builds not verified

[vladimir-lu]

Perhaps due to the nature of nightly builds it is usually more work to verify their integrity and authenticity (say, via a signature by the rust developers). The current situation is sub-optimal and there are a number of things that can be done about this:

• turn off thin manifests
• always download over https
• get upstream to sign rust binaries

Upstream issues:

• rust-lang.org, the nightly archives, and rustup.sh should be served over https rust-lang/rust#16123 tracks downloading over https and is fixed I believe
• rustup.sh and underlying binaries authentication rust-lang/rust#16442 tracks the binary signing issue
• Security model / TUF rust-lang/crates.io#75 tracks crate signing

[williamh]

Ideally, upstream would give each nightly tarball a unique name some way so we could use the name in the src_uri of an ebuild instead of using wget in src_unpack to download them. Since they don't do that, a nightly ebuild is exactly like a live ebuild; if you use them you get what you get. That is why we can't ever keyword nightlys.

[jauhien]

See #6