Skip to content
This repository has been archived by the owner on Apr 3, 2024. It is now read-only.

Copy Cargo.lock from crates.io packages if repository does not have one #1

Open
link2xt opened this issue Apr 1, 2024 · 3 comments
Open

Copy Cargo.lock from crates.io packages if repository does not have one #1

link2xt opened this issue Apr 1, 2024 · 3 comments

Comments

@link2xt
Copy link
Owner

link2xt commented Apr 1, 2024
edited
Loading

It seems cargo publish (and cargo package) always uploads Cargo.lock generated during verification even if Cargo.lock is not committed to the repository and is added to .gitignore. This makes crate non-reproducible because every attempt to build package generates a new Cargo.lock.

This looks like a bug, I would expect Cargo.lock not to be published in this case e.g. for libraries. On the other hand maybe it ensures that binaries installed with cargo install are always built with pinned dependencies from the time crate is published. EDIT: it is documented in cargo-package man page that this happens if package contains binary or examples.

To solve this problem we should copy Cargo.lock if it is present in the downloaded crate but not in the cloned repository.
@link2xt
Copy link
Owner Author

link2xt commented Apr 1, 2024

This does not help at least for yerpc-0.5.3.
I do this:

  1. Checkout this repository at commit 767cafa
  2. Run nix develop to get nix shell with pinned version of cargo
  3. Download yerpc-0.5.3 with wget https://static.crates.io/crates/yerpc/yerpc-0.5.3.crate
  4. Extract the crate with tar xf yerpc-0.5.3.crate
  5. Clone yerpc repository with git clone https://github.com/deltachat/yerpc
  6. cd yerpc
  7. git checkout $(jq -r .git.sha1 <../yerpc-0.5.3/.cargo_vcs_info.json)
  8. cp ../yerpc-0.5.3/Cargo.lock .
  9. cd yerpc (cd into path_in_vcs)
  10. cargo package --locked

It fails with

error: the lock file .../yerpc/Cargo.lock needs to be updated but --locked was passed to prevent this
If you want to try to generate the lock file without accessing the network, remove the --locked flag and use --offline instead.

I don't get why it wants to update Cargo.lock, but updating it will definitely break reproducibility.

@link2xt
Copy link
Owner Author

link2xt commented Apr 1, 2024

Maybe it was generated with old version of cargo, e.g. old lockfile does not contain yerpc_example_tide section, but new cargo wants to generate lockfile sections for all examples.

@link2xt
Copy link
Owner Author

link2xt commented Apr 1, 2024

Seems the idea to rebuild crates with cargo package does not work, cargo may decide to rebuild lockfile for many reasons: rust-lang/cargo#3265
Without using exactly the same version of cargo as was used to build the crate we cannot use cargo package.
Need to emulate cargo package without even looking at the lockfile or just compare the files in the repository to the files from the tarball.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@link2xt