What happened to old versions of this crate?

[dtolnay]

As of today, the only partial-io versions listed as present on https://crates.io/crates/partial-io/versions and https://docs.rs/crate/partial-io are 0.3.1, 0.4.0, and 0.5.0.

However a bunch of things suggest that older versions used to exist on crates.io. For example zstd 0.4.10, published on June 4, 2017, declares a dependency on partial-io ^0.2.1, which Cargo would have refused to publish if some version >=0.2.1 <0.3.0 hadn't been present at the time. I also see tagged releases on https://github.com/facebookincubator/rust-partial-io/releases, such as 0.2.1 on commit c3c30a9.

Is this an indication of data loss on crates.io or is there a reason that these releases were intentionally vanished (such as secrets leaked in the public package)?

Context: I am writing some analyses of evolution of the fully resolved crates.io dependency graph over time and there end up being a few special cases involving crates depending on partial-io versions that "don't exist".

[sunshowers]

Hey David!

FYI the old crates were removed because they had my deadname in the author section.

[dtolnay]

Ah -- that's too bad that we end up leaving unresolvable dependency edges in a bunch of downstream packages. I wonder if, now that those releases do not exist according to crates.io, it would be okay to republish the same version numbers with correct metadata.

I've worked around this so feel free to close and/or delete this issue btw.

[sunshowers]

Hmm I did consider that but the lockfile hashes would be different which is why I didn't pursue it.

[dtolnay]

Doesn't that only affect projects that are already broken either way? That is, if someone has all three of the following true:

• They downloaded some Rust code that comes with a lockfile,
• which contains the old hash,
• and they do not have a copy of old partial-io in their Cargo cache.

If a project has no lockfile, Cargo will be fine pulling in the re-releases. If the project used to depend on old partial-io but no longer does, everything is fine. And if the person has the old partial-io in their Cargo cache, Cargo will use it.

However notice if all 3 of the above are true, they're broken anyway already, because Cargo will try to download old partial-io and not find it — so I don't expect that should be a reason not to publish.

[sunshowers]

Ahh, good point. What do you think about same version vs one version up? (e.g. 0.3.1 was taken down, so publish 0.3.2). I'll also ask the crates.io maintainers what they think.

[dtolnay]

My inclination would be same version (preferred) or same version with semver's "build metadata" (0.3.1+1, slightly less preferred).