cargo is a helper tool to download Rust crates.
As such it is a domain-specific package manager, which potentially involves nonfree code - and is outside the control of PureOS.
FSF guidelines for systems explicitly forbids to "steer users towards obtaining any nonfree information for practical use, or encourage them to do so [and should not] refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow."
The package should be blocked from getting included from Debian into PureOS.
The following packages reverse (build-)depends or recommends on cargo and should be blocked as well:
- lots of packages reverse-build-depending on meson...
Given the amount of reverse build-dependencies (and more expected, when Rust library packaging takes off in Debian), we should probably try amputate cargo's ability to fetch external sources: Even if that feature is the main purpose of cargo upstream, Debian packages are forbidden to make use of that during build, so any package failing to build with such amputated cargo is either violating Debian rules or need to go anyway.