[docs] FAQ should address whether Cargo.toml in libraries should specify dependency versions

[astraw]

In the "Why do binaries have Cargo.lock in version control, but not libraries?" section of the FAQ, a logic is laid out for why libraries should not specify have in Cargo.lock placed in the version control system. By the same logic, I think a similar statement could be made for pinning the versions in Cargo.toml. (I.e. libraries should aim to specify versions required with "*"). It would be useful to make this clear in the FAQ.

[alexcrichton]

Note that libraries should explicitly never use a dependency with the requirement as *, as it's not a true statement that "this library works with any version, ever". Dependencies should always try to use a semver-style range of dependencies, e.g. via foo = "0.4.0". That being said this can certainly be clarified in the docs as well.

[astraw]

Thanks for the clarification. Indeed, some clarification on this point in the FAQ would be useful IMO. (And for the record, can you explain how foo = "0.4.0" is a "semver-style range"? Or did you mean something like foo = "0.4.*"?)

[alexcrichton]

foo = "0.3.0" is basically saying "semver compatible" with 0.3.0 as it's just a "caret requirement". You can find more info here: http://doc.crates.io/crates-io.html#using-crates.io-based-crates

[astraw]

Thanks again for another clarification given that I clearly missed the docs stating the dependency is specified as caret-range-by-default.