-
Notifications
You must be signed in to change notification settings - Fork 607
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crates_io_tarball: Ignore duplicate readme files #8802
Conversation
cargo is currently producing crate files with multiple readme files under certain conditions. While this is a bug on cargo side, we should probably be liberal in this case and still accept the crate files.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #8802 +/- ##
=======================================
Coverage 88.65% 88.65%
=======================================
Files 276 276
Lines 27614 27622 +8
=======================================
+ Hits 24480 24489 +9
+ Misses 3134 3133 -1 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given rust-lang/cargo#13722, do we need to extend this to licence files as well? (I can't immediately get cargo package
to generate the same ambiguity there, but I haven't played around with it very much.)
I might be more inclined to revert to the previous behaviour (only checking manifests) for now pending alignment with t-cargo on the exact semantics here, but I don't feel strongly enough about this to not approve the PR.
I'm not sure. is |
I figured out how to reproduce this for licences as well: # Create a new crate.
cargo new foo
# Create a licence file in the parent directory.
touch LICENSE
# Move into the crate and create another licence file with different casing.
cd foo
touch license
# Set the license-file in the manifest to point to ../LICENSE.
sed -i -e 's/edition = "2021"/&\nlicense-file = "..\/LICENSE"/' Cargo.toml
# Run cargo package.
cargo package --allow-dirty
# Finally, observe the problem.
tar ztvf target/package/foo-0.1.0.crate Which results in:
Lockfiles are mentioned in rust-lang/cargo#13722 as well, although I think that one's less of an issue because it would be more obvious on the filesystem (because you'd have So my feeling is that we should either treat licence files the same way we treat readmes, whatever that may be. Added problem that I obviously hadn't fully thought through before coffee had kicked in earlier: there's no particular guarantee the readme will be So, in summary: instead of this PR, I think we revert #8788 for now to go back to only preventing duplicate manifests (since that's much more problematic from a security perspective), then figure out what the semantics of handling case-insensitivity in crate files should be and (ideally) have cargo and crates.io do the same thing. (Spoiler: I think @kornelski is on the right path here.) |
cargo is currently producing crate files with multiple readme files under certain conditions. While this is a bug on cargo side, we should probably be liberal in this case and still accept the crate files.
see #8788 (comment)