[CLI] Make source verification opt-in instead of opt-out (dvx-699)

crates/sui/src/client_commands.rs

@@ -1737,17 +1737,25 @@ fn check_dep_verification_flags(
     verify_dependencies: bool,
 ) -> anyhow::Result<bool> {
     match (skip_dependency_verification, verify_dependencies) {
-        (true, true) => bail!("[error]: --skip_dependency_verification and --verify_dependencies are mutually exclusive"),
+        (true, true) => bail!(
+            "[error]: --skip-dependency-verification and --verify-deps are mutually exclusive"
+        ),
 
         (false, false) => {
-            eprintln!("{}: In a future release, dependency source code will no longer be verified by default during publication and upgrade. \
-                You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. \
-                You can also manually verify dependencies using `sui client verify-source`.",
-                "[warning]".bold().yellow());
-            Ok(true)
-        },
-
-        _ => Ok(verify_dependencies),
+            eprintln!("{}: Dependency sources are no longer verified automatically during publication and upgrade. \
+                You can pass the `--verify-deps` option if you would like to verify them as part of publication or upgrade.",
+                "[Note]".bold().yellow());
+            Ok(verify_dependencies)
+        }
+
+        (true, false) => {
+            eprintln!("{}: Dependency sources are no longer verified automatically during publication and upgrade, \
+                so the `--skip-dependency-verification` flag is no longer necessary.",
+                "[Warning]".bold().yellow());
+            Ok(verify_dependencies)
+        }
+
+        (false, true) => Ok(verify_dependencies),
     }
 }
 

crates/sui/tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh

@@ -3,8 +3,8 @@
 
 # test that we get an error if we supply both `--skip-dependency-verification` and `--verify-deps`
 
-echo "=== publish ===" | tee /dev/stderr
+echo "=== publish (should fail) ===" | tee /dev/stderr
 sui client --client.config $CONFIG publish example --skip-dependency-verification --verify-deps
 
-echo "=== upgrade ===" | tee /dev/stderr
+echo "=== upgrade (should fail) ===" | tee /dev/stderr
 sui client --client.config $CONFIG upgrade example --upgrade-capability 0x1234 --skip-dependency-verification --verify-deps

crates/sui/tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh

@@ -15,22 +15,22 @@ echo "=== publish dependency ===" | tee /dev/stderr
 sui client --client.config $CONFIG publish "dependency" \
   --json | jq '.effects.status'
 
-echo "=== publish package v0 (should warn) ===" | tee /dev/stderr
+echo "=== publish package v0 (should note deprecation) ===" | tee /dev/stderr
 UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" \
   --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId')
 
-echo "=== upgrade package (should warn) ===" | tee /dev/stderr
+echo "=== upgrade package (should note deprecation) ===" | tee /dev/stderr
 sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \
   --json | jq '.effects.status'
 
 echo "=== modify dependency ===" | tee /dev/stderr
 cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move
 mv dependency.move dependency/sources/dependency.move
 
-echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr
-sui client --client.config $CONFIG publish "example" \
-  | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g'
+echo "=== try to publish with modified dep (should succeed) ===" | tee /dev/stderr
+UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" \
+  --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId')
 
-echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr
+echo "=== try to upgrade with modified dep (should succeed) ===" | tee /dev/stderr
 sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \
-  | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g'
+  --json | jq '.effects.status'

crates/sui/tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh

@@ -11,15 +11,15 @@ do
     && mv Move.toml $i
 done
 
-echo "=== publish dependency ===" | tee /dev/stderr
+echo "=== publish dependency (should warn about deprecation) ===" | tee /dev/stderr
 sui client --client.config $CONFIG publish "dependency" --skip-dependency-verification \
   --json | jq '.effects.status'
 
-echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr
+echo "=== publish package v0 (should warn about deprecation) ===" | tee /dev/stderr
 UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \
   --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId')
 
-echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr
+echo "=== upgrade package (should warn about deprecation) ===" | tee /dev/stderr
 sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \
   --json | jq '.effects.status'
 

crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__both_flags.sh.snap

@@ -8,27 +8,27 @@ description: tests/shell_tests/with_network/source_verification_deprecation/both
 
 # test that we get an error if we supply both `--skip-dependency-verification` and `--verify-deps`
 
-echo "=== publish ===" | tee /dev/stderr
+echo "=== publish (should fail) ===" | tee /dev/stderr
 sui client --client.config $CONFIG publish example --skip-dependency-verification --verify-deps
 
-echo "=== upgrade ===" | tee /dev/stderr
+echo "=== upgrade (should fail) ===" | tee /dev/stderr
 sui client --client.config $CONFIG upgrade example --upgrade-capability 0x1234 --skip-dependency-verification --verify-deps
 
 ----- results -----
 success: false
 exit_code: 2
 ----- stdout -----
-=== publish ===
-=== upgrade ===
+=== publish (should fail) ===
+=== upgrade (should fail) ===
 
 ----- stderr -----
-=== publish ===
+=== publish (should fail) ===
 error: the argument '--skip-dependency-verification' cannot be used with '--verify-deps'
 
 Usage: sui client publish --skip-dependency-verification <package_path>
 
 For more information, try '--help'.
-=== upgrade ===
+=== upgrade (should fail) ===
 error: the argument '--skip-dependency-verification' cannot be used with '--verify-deps'
 
 Usage: sui client upgrade --upgrade-capability <UPGRADE_CAPABILITY> --skip-dependency-verification <package_path>

crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__no_flags.sh.snap

@@ -20,25 +20,25 @@ echo "=== publish dependency ===" | tee /dev/stderr
 sui client --client.config $CONFIG publish "dependency" \
   --json | jq '.effects.status'
 
-echo "=== publish package v0 (should warn) ===" | tee /dev/stderr
+echo "=== publish package v0 (should note deprecation) ===" | tee /dev/stderr
 UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" \
   --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId')
 
-echo "=== upgrade package (should warn) ===" | tee /dev/stderr
+echo "=== upgrade package (should note deprecation) ===" | tee /dev/stderr
 sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \
   --json | jq '.effects.status'
 
 echo "=== modify dependency ===" | tee /dev/stderr
 cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move
 mv dependency.move dependency/sources/dependency.move
 
-echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr
-sui client --client.config $CONFIG publish "example" \
-  | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g'
+echo "=== try to publish with modified dep (should succeed) ===" | tee /dev/stderr
+UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" \
+  --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId')
 
-echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr
+echo "=== try to upgrade with modified dep (should succeed) ===" | tee /dev/stderr
 sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \
-  | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g'
+  --json | jq '.effects.status'
 
 ----- results -----
 success: true
@@ -49,47 +49,42 @@ exit_code: 0
 {
   "status": "success"
 }
-=== publish package v0 (should warn) ===
-=== upgrade package (should warn) ===
+=== publish package v0 (should note deprecation) ===
+=== upgrade package (should note deprecation) ===
 {
   "status": "success"
 }
 === modify dependency ===
-=== try to publish with modified dep (should fail) ===
-Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency
-
-This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against.
-
-Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag.
-=== try to upgrade with modified dep (should fail) ===
-Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency
-
-This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against.
-
-Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag.
+=== try to publish with modified dep (should succeed) ===
+=== try to upgrade with modified dep (should succeed) ===
+{
+  "status": "success"
+}
 
 ----- stderr -----
 === munge Move.toml files ===
 === publish dependency ===
-[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`.
+[Note]: Dependency sources are no longer verified automatically during publication and upgrade. You can pass the `--verify-deps` option if you would like to verify them as part of publication or upgrade.
 BUILDING dependency
-Successfully verified dependencies on-chain against source.
-=== publish package v0 (should warn) ===
-[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`.
+Skipping dependency verification
+=== publish package v0 (should note deprecation) ===
+[Note]: Dependency sources are no longer verified automatically during publication and upgrade. You can pass the `--verify-deps` option if you would like to verify them as part of publication or upgrade.
 INCLUDING DEPENDENCY dependency
 BUILDING example
-Successfully verified dependencies on-chain against source.
-=== upgrade package (should warn) ===
-[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`.
+Skipping dependency verification
+=== upgrade package (should note deprecation) ===
+[Note]: Dependency sources are no longer verified automatically during publication and upgrade. You can pass the `--verify-deps` option if you would like to verify them as part of publication or upgrade.
 INCLUDING DEPENDENCY dependency
 BUILDING example
-Successfully verified dependencies on-chain against source.
+Skipping dependency verification
 === modify dependency ===
-=== try to publish with modified dep (should fail) ===
-[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`.
+=== try to publish with modified dep (should succeed) ===
+[Note]: Dependency sources are no longer verified automatically during publication and upgrade. You can pass the `--verify-deps` option if you would like to verify them as part of publication or upgrade.
 INCLUDING DEPENDENCY dependency
 BUILDING example
-=== try to upgrade with modified dep (should fail) ===
-[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`.
+Skipping dependency verification
+=== try to upgrade with modified dep (should succeed) ===
+[Note]: Dependency sources are no longer verified automatically during publication and upgrade. You can pass the `--verify-deps` option if you would like to verify them as part of publication or upgrade.
 INCLUDING DEPENDENCY dependency
 BUILDING example
+Skipping dependency verification

crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__skip_dep_verif.sh.snap

@@ -16,15 +16,15 @@ do
     && mv Move.toml $i
 done
 
-echo "=== publish dependency ===" | tee /dev/stderr
+echo "=== publish dependency (should warn about deprecation) ===" | tee /dev/stderr
 sui client --client.config $CONFIG publish "dependency" --skip-dependency-verification \
   --json | jq '.effects.status'
 
-echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr
+echo "=== publish package v0 (should warn about deprecation) ===" | tee /dev/stderr
 UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \
   --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId')
 
-echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr
+echo "=== upgrade package (should warn about deprecation) ===" | tee /dev/stderr
 sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \
   --json | jq '.effects.status'
 
@@ -45,12 +45,12 @@ success: true
 exit_code: 0
 ----- stdout -----
 === munge Move.toml files ===
-=== publish dependency ===
+=== publish dependency (should warn about deprecation) ===
 {
   "status": "success"
 }
-=== publish package v0 (should NOT warn) ===
-=== upgrade package (should NOT warn) ===
+=== publish package v0 (should warn about deprecation) ===
+=== upgrade package (should warn about deprecation) ===
 {
   "status": "success"
 }
@@ -63,23 +63,28 @@ exit_code: 0
 
 ----- stderr -----
 === munge Move.toml files ===
-=== publish dependency ===
+=== publish dependency (should warn about deprecation) ===
+[Warning]: Dependency sources are no longer verified automatically during publication and upgrade, so the `--skip-dependency-verification` flag is no longer necessary.
 BUILDING dependency
 Skipping dependency verification
-=== publish package v0 (should NOT warn) ===
+=== publish package v0 (should warn about deprecation) ===
+[Warning]: Dependency sources are no longer verified automatically during publication and upgrade, so the `--skip-dependency-verification` flag is no longer necessary.
 INCLUDING DEPENDENCY dependency
 BUILDING example
 Skipping dependency verification
-=== upgrade package (should NOT warn) ===
+=== upgrade package (should warn about deprecation) ===
+[Warning]: Dependency sources are no longer verified automatically during publication and upgrade, so the `--skip-dependency-verification` flag is no longer necessary.
 INCLUDING DEPENDENCY dependency
 BUILDING example
 Skipping dependency verification
 === modify dependency ===
 === try to publish with modified dep (should succeed) ===
+[Warning]: Dependency sources are no longer verified automatically during publication and upgrade, so the `--skip-dependency-verification` flag is no longer necessary.
 INCLUDING DEPENDENCY dependency
 BUILDING example
 Skipping dependency verification
 === try to upgrade with modified dep (should succeed) ===
+[Warning]: Dependency sources are no longer verified automatically during publication and upgrade, so the `--skip-dependency-verification` flag is no longer necessary.
 INCLUDING DEPENDENCY dependency
 BUILDING example
 Skipping dependency verification