Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should Cargo.lock be committed, or added to .gitignore? #315

Closed
zr40 opened this issue Aug 4, 2014 · 12 comments
Closed

Should Cargo.lock be committed, or added to .gitignore? #315

zr40 opened this issue Aug 4, 2014 · 12 comments

Comments

@zr40
Copy link

zr40 commented Aug 4, 2014

There doesn't appear to be any documentation about the purpose of Cargo.lock and guidelines for handling it.

Should Cargo.lock be committed to a project's repository, or should it be added to .gitignore?

/cc nickel-org/nickel.rs#50
@alexchandel
Copy link

I heard on IRC it should be ignored for libraries, tracked for binaries.

@alexcrichton
Copy link
Member

Yes, libraries should ignore Cargo.lock but binaries/applications should check-in Cargo.lock.

I believe @wycats is going to work on some documentation for this in the coming days.

@SimonSapin SimonSapin mentioned this issue Aug 6, 2014
Closed
@SimonSapin
Copy link
Contributor

If Cargo.lock has meaningful content (as opposed to being a way to multiple instances of Cargo to run simultaneously), shouldn’t it be named something else?

@michaelsproul michaelsproul mentioned this issue Aug 7, 2014
Merged
@alexcrichton
Copy link
Member

This is now documented, so I'm going to close this.

jsanders added a commit to jsanders/rust-gmp that referenced this issue Oct 25, 2014
@jsanders
It is recommended to ignore Cargo.lock for libraries
859f73c 
See rust-lang/cargo#315.
@heyman
Copy link

heyman commented Dec 25, 2014

The documentation seems to reside on a new subdomain. The information regarding Cargo can now be found at: http://doc.crates.io/guide.html#cargo.toml-vs-cargo.lock

@teotwaki teotwaki mentioned this issue Feb 16, 2015
Merged
@dguo dguo mentioned this issue Feb 26, 2015
Closed
@marti1125 marti1125 mentioned this issue Apr 1, 2015
Closed
jswrenn referenced this issue in jswrenn/turnout-for-what Oct 9, 2016
@jswrenn
Read destination paths from file.
430e264
@zonyitoo zonyitoo mentioned this issue Jan 9, 2017
Closed
@jaheba jaheba mentioned this issue Apr 5, 2017
Merged
@AndreasHassing
Copy link

AndreasHassing commented Apr 30, 2017
edited

The answer in this FAQ describes the reasoning really well: http://doc.crates.io/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries

Just leaving this here, as Google'ing for "Crate.lock gitignore" leads to this issue, and @alexcrichton's link is dead.

lo48576 pushed a commit to lo48576/lazy-init that referenced this issue Nov 9, 2017
Ignore Cargo.lock
54e6438 
Libraries should ignore `Cargo.lock`.
See <rust-lang/cargo#315> and
<http://doc.crates.io/guide.html>.
khuey pushed a commit to khuey/lazy-init that referenced this issue Nov 9, 2017
@khuey
Ignore Cargo.lock
fb92afa 
Libraries should ignore `Cargo.lock`.
See <rust-lang/cargo#315> and
<http://doc.crates.io/guide.html>.
fpoli added a commit to fpoli/rucaja that referenced this issue Nov 10, 2017
@fpoli
Ignore Cargo.lock
7f71ce9 
According to [1], [2] Cargo.lock should be added to gitignore for libraries.

[1](http://doc.crates.io/guide.html#cargo.toml-vs-cargo.lock)
[2](rust-lang/cargo#315)
fpoli added a commit to fpoli/rucaja that referenced this issue Nov 10, 2017
@fpoli
Ignore Cargo.lock
65c98b1 
According to [1], [2] Cargo.lock should be added to gitignore for libraries.

[1](http://doc.crates.io/guide.html#cargo.toml-vs-cargo.lock)
[2](rust-lang/cargo#315)
fpoli added a commit to fpoli/rucaja that referenced this issue Nov 10, 2017
@fpoli
Ignore Cargo.lock
ea29e39 
According to [1], [2] Cargo.lock should be added to gitignore for libraries.

[1](http://doc.crates.io/guide.html#cargo.toml-vs-cargo.lock)
[2](rust-lang/cargo#315)
fpoli added a commit to fpoli/rucaja that referenced this issue Nov 10, 2017
@fpoli
Ignore Cargo.lock
44be338 
According to [1], [2] Cargo.lock should be added to gitignore for libraries.

[1](http://doc.crates.io/guide.html#cargo.toml-vs-cargo.lock)
[2](rust-lang/cargo#315)
fpoli added a commit to fpoli/rucaja that referenced this issue Nov 10, 2017
@fpoli
Ignore Cargo.lock
bad6a24 
According to [1], [2] Cargo.lock should be added to gitignore for libraries.

[1](http://doc.crates.io/guide.html#cargo.toml-vs-cargo.lock)
[2](rust-lang/cargo#315)
fpoli added a commit to fpoli/rucaja that referenced this issue Nov 10, 2017
@fpoli
Ignore Cargo.lock
fbf7ebe 
According to [1], [2] Cargo.lock should be added to gitignore for libraries.

[1](http://doc.crates.io/guide.html#cargo.toml-vs-cargo.lock)
[2](rust-lang/cargo#315)
dsprenkels pushed a commit to dsprenkels/sss-cli that referenced this issue Dec 31, 2017
Add Cargo.lock file
b25d96b 
Cargo.lock should be committed for binaries, see also
rust-lang/cargo#315.
dvberkel added a commit to fifth-postulate/packing-puzzle that referenced this issue Feb 5, 2018
@dvberkel
Check in Cargo.lock like libraries should do
58ffbec 
rust-lang/cargo#315
@u2 u2 mentioned this issue Aug 6, 2018
Merged
jgraef pushed a commit to nimiq/core-rs that referenced this issue Feb 4, 2019
Removed Cargo.lock, see [1]
cc98781 
[1] rust-lang/cargo#315
@montao
Copy link

montao commented Feb 13, 2019

This is now documented, so I'm going to close this.

Link does not work. Maybe it is this now https://doc.rust-lang.org/cargo/guide/

@bonzini bonzini mentioned this issue Feb 28, 2019
Merged
jontze added a commit to jontze/mdbook-katex that referenced this issue Dec 11, 2022
@jontze
remove Cargo.lock from .gitignore
8ace62f 
To ensure reproducible builds for the compiled binaries it's recommended
to add the `Cargo.lock` file to version control.

Refs.:
- Cargo Book FAQs: https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries
- Discussion in a github issue: rust-lang/cargo#315
jontze added a commit to jontze/mdbook-katex that referenced this issue Dec 12, 2022
@jontze
remove Cargo.lock from .gitignore
23a0586 
To ensure reproducible builds for the compiled binaries it's recommended
to add the `Cargo.lock` file to version control.

Refs.:
- Cargo Book FAQs: https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries
- Discussion in a github issue: rust-lang/cargo#315
@jontze jontze mentioned this issue Dec 12, 2022
Merged
@Kezii Kezii mentioned this issue Dec 26, 2022
Closed
@dotlambda dotlambda mentioned this issue Jan 19, 2023
Closed
This was referenced Feb 13, 2023
Merged
Merged
Merged
This was referenced Mar 1, 2023
Closed
Merged
thomastaylor312 pushed a commit to krustlet/oci-distribution that referenced this issue Mar 2, 2023
@bacongobbler
remove Cargo.lock
2f16ddc 
As per rust-lang/cargo#315

Signed-off-by: Matthew Fisher <matt.fisher@fermyon.com>
@SiddheshKanawade SiddheshKanawade mentioned this issue Mar 7, 2023
Closed
@Narsil Narsil mentioned this issue Apr 11, 2023
Closed
@ozgrakkurt ozgrakkurt mentioned this issue Apr 27, 2023
Closed
@cpswan cpswan mentioned this issue Jun 20, 2023
Merged
@hky1999 hky1999 mentioned this issue Sep 22, 2023
Open
@Pegasust Pegasust mentioned this issue Sep 26, 2023
Open
@lassemoldrup lassemoldrup mentioned this issue Nov 29, 2023
Closed
@camio camio mentioned this issue Dec 7, 2023
Open
@Tim-Zhang Tim-Zhang mentioned this issue Dec 11, 2023
Closed
@choleraehyq
Copy link

Cargo.lock not only specifies the specific versions of dependencies, but also provides the checksums of its dependencies for build system to verify. From this security aspect, maybe we need to commit Cargo.lock along with Cargo.toml?

Go team clearly point out this reason in doc https://go.dev/wiki/Modules#should-i-commit-my-gosum-file-as-well-as-my-gomod-file.

@weihanglo
Copy link
Member

Please read the recent blog post "Change in Guidance on Committing Lockfiles", and the up-to-date guidance.
See also #8728.

@binkley
Copy link

binkley commented Jan 1, 2024

I read through the links provided in the comments, and @weihanglo 's posting was the only one to provide a currently active doc link: https://doc.rust-lang.org/cargo/faq.html#why-have-cargolock-in-version-control

@ac000 ac000 mentioned this issue Feb 19, 2024
Merged
@piojost piojost mentioned this issue Apr 2, 2024
Open
@flrgh flrgh mentioned this issue Apr 9, 2024
Merged
hishamhm pushed a commit to Kong/datakit-filter that referenced this issue Apr 9, 2024
@flrgh
chore(ci): add Cargo.lock file (#3)
446db15 
I'd consider us a binary package, so [we should track our lock file in vcs](rust-lang/cargo#315). Better for auditing shipped dependencies and better for build cache/reproducibility.
@YouFoundAlpha YouFoundAlpha mentioned this issue Apr 24, 2024
Closed
@nick42d nick42d mentioned this issue Apr 25, 2024
Closed
@n8henrie n8henrie mentioned this issue May 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests