You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
It seems cargo publish (and cargo package) always uploads Cargo.lock generated during verification even if Cargo.lock is not committed to the repository and is added to .gitignore. This makes crate non-reproducible because every attempt to build package generates a new Cargo.lock.
This looks like a bug, I would expect Cargo.lock not to be published in this case e.g. for libraries. On the other hand maybe it ensures that binaries installed with cargo install are always built with pinned dependencies from the time crate is published. EDIT: it is documented in cargo-package man page that this happens if package contains binary or examples.
To solve this problem we should copy Cargo.lock if it is present in the downloaded crate but not in the cloned repository.
The text was updated successfully, but these errors were encountered:
error: the lock file .../yerpc/Cargo.lock needs to be updated but --locked was passed to prevent this
If you want to try to generate the lock file without accessing the network, remove the --locked flag and use --offline instead.
I don't get why it wants to update Cargo.lock, but updating it will definitely break reproducibility.
Maybe it was generated with old version of cargo, e.g. old lockfile does not contain yerpc_example_tide section, but new cargo wants to generate lockfile sections for all examples.
Seems the idea to rebuild crates with cargo package does not work, cargo may decide to rebuild lockfile for many reasons: rust-lang/cargo#3265
Without using exactly the same version of cargo as was used to build the crate we cannot use cargo package.
Need to emulate cargo package without even looking at the lockfile or just compare the files in the repository to the files from the tarball.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
It seems
cargo publish
(andcargo package
) always uploadsCargo.lock
generated during verification even ifCargo.lock
is not committed to the repository and is added to.gitignore
. This makes crate non-reproducible because every attempt to build package generates a newCargo.lock
.This looks like a bug, I would expect
Cargo.lock
not to be published in this case e.g. for libraries. On the other hand maybe it ensures that binaries installed withcargo install
are always built with pinned dependencies from the time crate is published. EDIT: it is documented incargo-package
man page that this happens if package contains binary or examples.To solve this problem we should copy
Cargo.lock
if it is present in the downloaded crate but not in the cloned repository.The text was updated successfully, but these errors were encountered: