-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Always include Cargo.lock in published crates #14815
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
b806e0a
to
5db2605
Compare
[UPDATING] crates.io index | ||
[ERROR] failed to verify package tarball | ||
[ERROR] failed to prepare local package for uploading |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is nice! It failed earlier before the actual packaging happened, so users don't need to pay unnecessary stuff.
Originally it was only included for packages that have executables or examples for `cargo install`, however this causes inconsistencies and is kind of unexpected nowadays, e.g. with cdylib crates. Including it always only slightly increases the crate size and allows for all crates to know a set of dependency versions that were working, which can make regression tracking easier. Fixes rust-lang#13447
5db2605
to
dd698ff
Compare
Network failure. Re-queue. |
Update cargo 15 commits in 4a2d8dc636445b276288543882e076f254b3ae95..69e595908e2c420e7f0d1be34e6c5b984c8cfb84 2024-11-09 19:10:33 +0000 to 2024-11-16 01:26:11 +0000 - refactor(fingerprint): Track the intent for each use of `UnitHash` (rust-lang/cargo#14826) - fix(toml): Update frontmatter parser for RFC 3503 (rust-lang/cargo#14792) - docs(unstable): Move -Zwarnings from stable to unstable section (rust-lang/cargo#14827) - Simplify English used in guide (rust-lang/cargo#14825) - feat(resolver): Stabilize resolver v3 (rust-lang/cargo#14754) - docs: Clean up doc comments (rust-lang/cargo#14823) - fix(remove): On error, suggest other dependencies (rust-lang/cargo#14818) - Always include Cargo.lock in published crates (rust-lang/cargo#14815) - fix(build-rs)!: Updates from an audit (rust-lang/cargo#14817) - feat(rustdoc): diplay env vars in extra verbose mode (rust-lang/cargo#14812) - Migrate build-rs to the Cargo repo (rust-lang/cargo#14786) - chore(ci): Check for clippy `correctness` (rust-lang/cargo#14796) - git: do not validate submodules of fresh checkouts (rust-lang/cargo#14605) - refactor: clone-on-write when needed for InternedString (rust-lang/cargo#14808) - fix(docs): typo in cargo-fmt.md (rust-lang/cargo#14805)
Update cargo 15 commits in 4a2d8dc636445b276288543882e076f254b3ae95..69e595908e2c420e7f0d1be34e6c5b984c8cfb84 2024-11-09 19:10:33 +0000 to 2024-11-16 01:26:11 +0000 - refactor(fingerprint): Track the intent for each use of `UnitHash` (rust-lang/cargo#14826) - fix(toml): Update frontmatter parser for RFC 3503 (rust-lang/cargo#14792) - docs(unstable): Move -Zwarnings from stable to unstable section (rust-lang/cargo#14827) - Simplify English used in guide (rust-lang/cargo#14825) - feat(resolver): Stabilize resolver v3 (rust-lang/cargo#14754) - docs: Clean up doc comments (rust-lang/cargo#14823) - fix(remove): On error, suggest other dependencies (rust-lang/cargo#14818) - Always include Cargo.lock in published crates (rust-lang/cargo#14815) - fix(build-rs)!: Updates from an audit (rust-lang/cargo#14817) - feat(rustdoc): diplay env vars in extra verbose mode (rust-lang/cargo#14812) - Migrate build-rs to the Cargo repo (rust-lang/cargo#14786) - chore(ci): Check for clippy `correctness` (rust-lang/cargo#14796) - git: do not validate submodules of fresh checkouts (rust-lang/cargo#14605) - refactor: clone-on-write when needed for InternedString (rust-lang/cargo#14808) - fix(docs): typo in cargo-fmt.md (rust-lang/cargo#14805)
Update cargo 15 commits in 4a2d8dc636445b276288543882e076f254b3ae95..69e595908e2c420e7f0d1be34e6c5b984c8cfb84 2024-11-09 19:10:33 +0000 to 2024-11-16 01:26:11 +0000 - refactor(fingerprint): Track the intent for each use of `UnitHash` (rust-lang/cargo#14826) - fix(toml): Update frontmatter parser for RFC 3503 (rust-lang/cargo#14792) - docs(unstable): Move -Zwarnings from stable to unstable section (rust-lang/cargo#14827) - Simplify English used in guide (rust-lang/cargo#14825) - feat(resolver): Stabilize resolver v3 (rust-lang/cargo#14754) - docs: Clean up doc comments (rust-lang/cargo#14823) - fix(remove): On error, suggest other dependencies (rust-lang/cargo#14818) - Always include Cargo.lock in published crates (rust-lang/cargo#14815) - fix(build-rs)!: Updates from an audit (rust-lang/cargo#14817) - feat(rustdoc): diplay env vars in extra verbose mode (rust-lang/cargo#14812) - Migrate build-rs to the Cargo repo (rust-lang/cargo#14786) - chore(ci): Check for clippy `correctness` (rust-lang/cargo#14796) - git: do not validate submodules of fresh checkouts (rust-lang/cargo#14605) - refactor: clone-on-write when needed for InternedString (rust-lang/cargo#14808) - fix(docs): typo in cargo-fmt.md (rust-lang/cargo#14805)
FWIW, this had the side effect of adding Cargo.lock to vendored crates too, irrespective of whether the crate published on crates.io has one. |
The other side effect / regression of this change: #15059 |
This was overlooked in rust-lang#14815.
This was overlooked in rust-lang#14815.
This was overlooked in rust-lang#14815.
### What does this PR try to resolve? This was overlooked in #14815. ### How should we test and review this PR? ``` cargo build target/debug/cargo help package # and read the manpage ```
### What does this PR try to resolve? This was changed in <#14815> since 1.84 but we missed some doc updates.
### What does this PR try to resolve? Fixes #15059 Fixes #15159 This provides an escape hatch `--exclude-lockfile`for uncommon workflows that don't verify (`--no-verify` is passed) the build with their unpublished packages In effect, this takes the heuristic removed in #14815 and replaces it with a flag When `--exclude-lockfile` is enabled, `cargo package` will not verify the lock file if present, nor will it generate a new one if absent. Cargo.lock will not be included in the resulting tarball. Together with `--no-verify`, this flag decouples packaging from checking the registry index. While this is useful for some non-normal workflows that requires to assemble packages having unpublished dependencies. It is recommended to use `-Zpackage-workspace` to package the entire workspace, instead of opting out lockfile. ### How should we test and review this PR? The first commit was stolen from <NoisyCoil@1a104b5> (credit to @NoisyCoil!) The second added two failing cases we observed in #15059. ### Additional information
Starting from rust 1.84.0 (cargo 1.84.0), published crates now always include a Cargo.lock file. Originally it was only included for packages that have executables or examples for use with cargo install. see [1] This behaviour change alters the contents of the .tar.gz archives, which causes SHA256 hash mistmatches when trying to build Rust packages. Example build failure with bat-0.24.0: ERROR: while checking hashes from package/bat/bat.hash ERROR: bat-0.24.0-cargo2.tar.gz has wrong sha256 hash: ERROR: expected: 45fcdd6076dc1b45698a7b6c0f4d1f5d9ae676f3ca3b155402ad24680d5b4df6 ERROR: got : 28b302b1aa325221796d4ebb25bacab19a8927ef32f4d56a965b32a7b1c102fc After using the ne hash to download the new archive tar.gz, we have the difference between the old archive and the new one using diffoscope: │ │ --rw-r--r-- 0 0 0 1529 2023-10-11 17:14:12.000000 bat-0.24.0/VENDOR/bincode/.cargo-checksum.json │ │ +-rw-r--r-- 0 0 0 1609 2023-10-11 17:14:12.000000 bat-0.24.0/VENDOR/bincode/.cargo-checksum.json │ │ +-rw-r--r-- 0 0 0 1766 2023-10-11 17:14:12.000000 bat-0.24.0/VENDOR/bincode/Cargo.lock │ │ -rw-r--r-- 0 0 0 1388 2023-10-11 17:14:12.000000 bat-0.24.0/VENDOR/bincode/Cargo.toml We can see that Cargo.lock has been added. To avoid hash mismatch issues and to clearly mark archives generated with the new Cargo behavior, we migrate the naming from 'cargo2.tar.gz' to 'cargo3.tar.gz'. We did not find any alternative to disable this new cargo-publish behavior, so this change is necessary to allow updating the hashes of Cargo-fetched packages. [1] rust-lang/cargo#14815 https://doc.rust-lang.org/nightly/cargo/CHANGELOG.html Signed-off-by: El Mehdi YOUNES <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]>
What does this PR try to resolve?
Originally it was only included for packages that have executables or examples for
cargo install
, however this causes inconsistencies and is kind of unexpected nowadays, e.g. with cdylib crates.Including it always only slightly increases the crate size and allows for all crates to know a set of dependency versions that were working, which can make regression tracking easier.
Fixes #13447
How should we test and review this PR?
The existing tests are covering this change in all kinds of various already, and one test that previously asserted that there is no Cargo.lock for library crates was changed to explicitly check for the new behaviour.