Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo install should have an option to allow installing a yanked binary #13082

Open
leighmcculloch opened this issue Nov 30, 2023 · 5 comments
Open

cargo install should have an option to allow installing a yanked binary #13082

leighmcculloch opened this issue Nov 30, 2023 · 5 comments
Labels
A-yanked Area: yanked dependencies C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` Command-install S-triage Status: This issue is waiting on initial triage.

Comments

@leighmcculloch
Copy link

Problem

Installing binaries using cargo install --version <version> <crate> will fail if version is yanked.

Crates can be yanked for different reasons. While some of those reasons are security related, not all are. Even for security related reasons, blocking the install of yanked tools is disruptive. Teams may need time to update CI, install scripts, systems, to be able to upgrade to a new version.

In CI systems it breaks and prevents reproducibility when versions of tools can disappear.

Proposed Solution

Add an option --allow-yanked to allow installing yanked binaries.

Or, change the --force option to allow installing yanked binaries.

Notes

No response
@leighmcculloch leighmcculloch added C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-triage Status: This issue is waiting on initial triage. labels Nov 30, 2023
@leighmcculloch leighmcculloch mentioned this issue Nov 30, 2023
Merged
@weihanglo

This comment was marked as off-topic.

Sign in to view
@epage
Copy link
Contributor

epage commented Nov 30, 2023

The problem with --locked is that is for when resolving dependencies. I believe this is for when choosing which package to install which is earlier in the process.

@epage
Copy link
Contributor

epage commented Nov 30, 2023

I suspect the actual solution for this should be #2267 as it makes running the command subject to the lockfile which can bypass yanked.

@leighmcculloch
Copy link
Author

For cargo install specifically, could you run cargo install <pkg> --locked? It is the flag to achieve the reproducibility if the binary package had Cargo.lock committed.

I use --locked, I just left it out of the example in the PR, and it doesn't make a difference. Cargo still disallows installing the binary.

@leighmcculloch
Copy link
Author

I suspect the actual solution for this should be #2267 as it makes running the command subject to the lockfile which can bypass yanked.

The problem with relying on #2267 is that it doesn't solve the problem for users who wish to cargo install a binary globally, which is a very valid way to install a development tool. #2267 appears to be narrowly focused on a specific workflow where somebody is using a development tool for a Rust project specifically. This issue is specifically about the cargo install user flow which applies to a large variety of environments and setups which may not actually be in the context of a Rust project.

@epage epage added the A-yanked Area: yanked dependencies label Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-yanked Area: yanked dependencies C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` Command-install S-triage Status: This issue is waiting on initial triage.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@epage @leighmcculloch @weihanglo