publish-lockfile: Various updates #6840
Conversation
|
(rust_highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
|
I'm not confident about some of these changes:
|
There was a problem hiding this comment.
Is it OK to not validate the .crate file can be extracted during cargo package?
I would naively say "we should keep doing what Cargo was previously doing" in the sense that it's one extra sanity check to ensure the tarball is indeed what we're expecting. That being said though I suspect it's just easier when generating the lock file to have the package structure on disk?
Would it be possible to keep most of the new lockfile resolution off disk? In theory we've already got the information available and I think we should be able to mostly avoid the disk for the resolution phase here.
Does it make sense to ignore Cargo.lock by default during cargo install for ephemeral workspaces only
I would still personally advocate for "yes" in the sense that picking up updates is often quite important for bugfixes and new features. It's just a question of defaults, and the defaults of "ignore the lock file" still feels correct to me vs "respect what's there". I do think there's probably wordsmithing we can do on error messages, and hinting that --locked may fix things is probably a good idea. We could go super extra far and recognize errors that happen in dependencies and not the crate itself, possibly providing an even stronger signal that such a message should be printed.
I think I'd probably say we should be uniform across sources if we can, ignoring lock files everywhere by default. I suspect we can change this over time as necessary though!
Should there be a separate flag?
Eh I don't feel strongly, but using --locked doesn't seem unreasonable to me
[Alex inserts a nonexistent previous question about printing differences in cargo.lock here]
I think the messaging about warning about differences in Cargo.lock may be a bit heavy-handed for publication. Printing a bold yellow "warning" for normal situations like path dependencies definitely feels a bit extreme to me, although I could see how a warning may work well for [patch]. I'm sort of tempted though to leave out these warnings for now (maybe relegate them to informational -v messages rather than warnings). I'm curious though of the use case you're thinking of when including them?
Is it worthwhile to add the yanked checks?
This I think may be a function of the defaults of --locked or not. If we default to --locked then this definitely feels worthwhile because otherwise it's too easy to silently use yanked packages for one reason or another.
If --locked is not the default, however, I think that we may want to avoid the warnings. You've already got to explicitly opt-in to --locked otherwise and I feel like that's typically motivated by something like:
- You previously got a build failure without it so you're using it. In this case the warning won't really do anything other than be possibly annoying, but you're probably unlikely to take action from it.
- Documentation told you to use
--locked, and since you're copy/pasting you have no idea what to do with the warning. - You're otherwise somewhat paranoid and always use
--locked. If you're in this category you're probably the kind of person to go open up an issue, so the warning is probably actionable in this use case.
I think overall though I feel like the warnings may be a bit much, but others of course may feel differently :)
I had considered that. The issue is that it needs the new, rewritten
I agree. I was just thinking it would be good to know that something was added to the lock file. I'll dial it back.
I agree with the concern that the warnings can be confusing or unactionable. My thinking is that using In general, I feel like Cargo has little-to-no communication to the user about yanked crates, which I think could be improved, and this would be a minor step in that direction. Do you think there's a better way to communicate this? In #2608 you mentioned warning every time a yanked dependency is built which would happen much more often. |
ehuss
force-pushed
the
publish-lockfile-updates
branch
from
869d39a
to
6ca61f0
Compare
|
I have included some updates to address some of the things mentioned above. It now generates the Cargo.lock in memory and retains the old behavior of extracting the tar file to verify ( |
There was a problem hiding this comment.
It is not super clean, but I think shouldn't be too hard to follow.
Nice! I suspect this can be improved over time as well if necessary, but otherwise it seems pretty reasonable as-is to me.
In general, I feel like Cargo has little-to-no communication to the user about yanked crates, which I think could be improved, and this would be a minor step in that direction.
This is a pretty compelling point to me, as is the rationale to the rarity of the warnings. I think I'm convinced that this seems like a good balance for now, and we can of course change course later!
In #2608 you mentioned warning every time a yanked dependency is built which would happen much more often.
Heh I had forgotten about this! It actually does seem like a good rule of thumb that when a yanked package is "used" (for some definition of the word "used") Cargo emits a warning. For example if you built a yanked package, that's using it. Here if you put it in a lock file going into the registry, that's using it. Similarly we'd warn on using it during cargo install (although we probably wouldn't want double warnings from both cargo install and building the crate itself).
In any case, I think we should go with what you've got implemented here!
As one final note apart from the one nit below, these warnings are all printed on cargo publish --dry-run, right?
This changes it so that `cargo package` will make sure the Cargo.lock file is in sync with the Cargo.toml that is generated during packaging. This has several points: - This makes the Cargo.lock more accurately reflect what would be locked if a user runs `cargo install` on the resulting package. - In a workspace, this removes irrelevant packages from the lock file. - This handles `[patch]` dependencies and dual-source dependencies (like path/version). - Warnings are generated for any differences in the lock file compared to the original. This has a significant change in how `cargo package` works. It now unconditionally copies the package to `target/package`. Previously this was only done during the verification step. This is necessary to run the resolver against the new `Cargo.toml` that gets generated.
Requires `--locked` to use Cargo.lock for registry and git installs.
This only applies for `cargo package/publish` with the publish-lockfile feature, or `cargo install --locked`.
The feature still needs to be enabled.
This constructs the new Cargo.lock in memory instead of writing it directly to disk. The in-memory copy is added to the tar file directly.
Try to make it clearer that it is not modifying the actual Cargo.lock file, but the one that is being stored in the .crate file.
This also restores the Cargo.lock update during packaging.
This was added for `cargo install` to avoid updating the source multiple times. Now that multiple updates are guarded via `Config::updated_sources`, it is no longer necessary.
ehuss
force-pushed
the
publish-lockfile-updates
branch
from
6ca61f0
to
8a30158
Compare
|
Updated with the suggestions. The last two commits seem a little hacky to me, but it seems to work. The last one just removes the source passed in to preload. I think it is no longer necessary, but I can easily revert that last commit if we want to keep it.
Correct. |
|
Also, I had to remove |
|
Nice! That all looks great to me. IIRC we already have a "VCS must be clean" check before publication, and I'd imagine that if the Cargo.lock was tracked and we update it then it'd be caught by that check, but maybe the check needs to be sequenced later in the publication process? I do think we'll want to trigger that check when we update Cargo.lock and it's tracked in VCS |
This includes `Cargo.lock` in the git dirty check. It explicitly excludes `Cargo.lock` as an untracked file, since it is not relevant for the dirty check; it is only checked if it is committed to git. This also adds `Cargo.lock` to the "did anything modify this" check during verification. I don't see a reason to exclude it (particularly since ephemeral workspaces do not save the lock file). Also add "Archiving: Cargo.lock" to the verbose output.
|
OK, the last commit adds a git check for |
|
@bors: r+ |
|
📌 Commit 7d20230 has been approved by |
bors
added
S-waiting-on-bors
publish-lockfile: Various updates This is a collection of changes to the `publish-lockfile` feature. They are separated by commit (see each for more detailed commit messages), and I can separate them into separate PRs if necessary. - Move publish-lockfile tests to a dedicated file. - Regenerate `Cargo.lock` when creating a package. - Ignore `Cargo.lock` in `cargo install` by default (requires `--locked` to use). - Add warnings for yanked dependencies. - Change default of publish-lockfile to true.
|
☀️ Test successful - checks-travis, status-appveyor |
…chton Update cargo, books ## cargo 5 commits in b6581d383ed596b133e330011658c6f83cf85c2f..6be12653dcefb46ee7b605f063ee75b5e6cba513 2019-04-16 16:02:11 +0000 to 2019-04-19 15:05:03 +0000 - Improved docs for `maintenance` options (rust-lang/cargo#6863) - publish-lockfile: Various updates (rust-lang/cargo#6840) - Treat HTTP/2 stream errors as spurious network errors. (rust-lang/cargo#6861) - Validate registry token before operations that require it. (rust-lang/cargo#6854) - Cleanups wrt DYLD_FALLBACK_LIBRARY_PATH handling (rust-lang/cargo#6856) ## reference 2 commits in 98f90ff..2a2de9c 2019-04-06 09:29:08 -0700 to 2019-04-22 10:25:52 -0700 - Remove unused link references. (rust-lang/reference#560) - Fix attribute redirects. (rust-lang/reference#562) ## book 22 commits in b93ec30bbc7b1b5c2f44223249ab359bed2ed5a6..db919bc6bb9071566e9c4f05053672133eaac33e 2019-03-26 16:54:10 -0400 to 2019-04-15 20:11:03 -0400 - Link to chapters mentioned in chapter 12 - Split up a long sentence - Unclear wording 4.3 (rust-lang/book#1907) - Corrected error for array out of bounds (rust-lang/book#1900) - Make lifetime explanation clearer (rust-lang/book#1901) - Replace `T: 'a + Messenger` with `T: Messenger` (rust-lang/book#1831) - Update range so matches rust-fmt . (rust-lang/book#1890) - Adding trailing comma (rust-lang/book#1891) - point 2018 book redirects to existing pages instead of index (rust-lang/book#1919) - Update ch04-03-slices.md (rust-lang/book#1921) - Update link for Russian translation. (rust-lang/book#1915) - Ch7 layout (rust-lang/book#1917) - Update the version of mdbook we use in-tree to match rust-lang/rust (rust-lang/book#1912) - Fix spellingz - Update listings in ch 19-6 for nostarch - Add a high-level overview of the changes in this version of the book - Fix Travis CI badge url (rust-lang/book#1893) - Redo listing numbers in chapter 19 after removals - Remove Advanced Lifetimes section completely - Merge branch 'gh1780' - Merge remote-tracking branch 'origin/master' into gh1567 - remove lifetime subtyping ## rust-by-example 4 commits in f68ef3d0f4959f6a7d92a08d9994b117f0f4d32d..1ff0f8e018838a710ebc0cc1a7bf74ebe73ad9f1 2019-03-12 15:32:12 -0300 to 2019-04-15 08:15:32 -0300 - Fix borrow so it fails in 2018 edition Fixes rust-lang/rust-by-example#1141 (rust-lang/rust-by-example#1152) - Replace lvalue and rvalue with place and value (rust-lang/rust-by-example#1160) - Mutate array in iter_mut() example (rust-lang/rust-by-example#1165) - Fix a typo ("half" -> "halve") (rust-lang/rust-by-example#1172) ## rustc-guide 8 commits in 464cb5b166378dff64619081dd4c42533a1eb989..99e1b1d53656be08654df399fc200584aebb50e4 2019-03-23 18:39:14 -0500 to 2019-04-20 09:57:54 -0500 - Update BodyId description - Update test-implementation chapter to current code - update chalk with new organization - move to subsection - fix MovePathIndex link - Update query chapter for the query macro rewrite - subchapter with information about `--error-format json` - Update query-evaluation-model-in-detail.md ## edition-guide 1 commits in b56ddb11548450a6df4edd1ed571b2bc304eb9e6..c413d42a207bd082f801ec0137c31b71e4bfed4c 2019-03-10 10:23:16 +0100 to 2019-04-22 01:14:56 +0200 - fix command (rust-lang/edition-guide#155) ## embedded-book 1 commits in 7989c723607ef5b13b57208022259e6c771e11d0..de3d55f521e657863df45260ebbca1b10527f662 2019-04-04 12:14:37 +0000 to 2019-04-22 12:58:28 +0000 - Minor fixes (rust-embedded/book#185) ## nomicon 6 commits in c02e0e7754a76886e55b976a3a4fac20100cd35d..fb29b147be4d9a1f8e24aba753a7e1de537abf61 2019-03-25 16:52:56 -0400 to 2019-04-22 19:10:29 -0400 - Fix link to copy_nonoverlapping (rust-lang/nomicon#134) - Various unchecked-uninit improvements (rust-lang/nomicon#130) - OOM behaviour in `vec-alloc.md` (rust-lang/nomicon#133) - Added missing "things". (rust-lang/nomicon#131) - Fix number agreement in subtyping chapter (rust-lang/nomicon#128) - Minor improvements (rust-lang/nomicon#129)
…chton Update cargo, books ## cargo 5 commits in b6581d383ed596b133e330011658c6f83cf85c2f..6be12653dcefb46ee7b605f063ee75b5e6cba513 2019-04-16 16:02:11 +0000 to 2019-04-19 15:05:03 +0000 - Improved docs for `maintenance` options (rust-lang/cargo#6863) - publish-lockfile: Various updates (rust-lang/cargo#6840) - Treat HTTP/2 stream errors as spurious network errors. (rust-lang/cargo#6861) - Validate registry token before operations that require it. (rust-lang/cargo#6854) - Cleanups wrt DYLD_FALLBACK_LIBRARY_PATH handling (rust-lang/cargo#6856) ## reference 2 commits in 98f90ff..2a2de9c 2019-04-06 09:29:08 -0700 to 2019-04-22 10:25:52 -0700 - Remove unused link references. (rust-lang/reference#560) - Fix attribute redirects. (rust-lang/reference#562) ## book 22 commits in b93ec30bbc7b1b5c2f44223249ab359bed2ed5a6..db919bc6bb9071566e9c4f05053672133eaac33e 2019-03-26 16:54:10 -0400 to 2019-04-15 20:11:03 -0400 - Link to chapters mentioned in chapter 12 - Split up a long sentence - Unclear wording 4.3 (rust-lang/book#1907) - Corrected error for array out of bounds (rust-lang/book#1900) - Make lifetime explanation clearer (rust-lang/book#1901) - Replace `T: 'a + Messenger` with `T: Messenger` (rust-lang/book#1831) - Update range so matches rust-fmt . (rust-lang/book#1890) - Adding trailing comma (rust-lang/book#1891) - point 2018 book redirects to existing pages instead of index (rust-lang/book#1919) - Update ch04-03-slices.md (rust-lang/book#1921) - Update link for Russian translation. (rust-lang/book#1915) - Ch7 layout (rust-lang/book#1917) - Update the version of mdbook we use in-tree to match rust-lang/rust (rust-lang/book#1912) - Fix spellingz - Update listings in ch 19-6 for nostarch - Add a high-level overview of the changes in this version of the book - Fix Travis CI badge url (rust-lang/book#1893) - Redo listing numbers in chapter 19 after removals - Remove Advanced Lifetimes section completely - Merge branch 'gh1780' - Merge remote-tracking branch 'origin/master' into gh1567 - remove lifetime subtyping ## rust-by-example 4 commits in f68ef3d0f4959f6a7d92a08d9994b117f0f4d32d..1ff0f8e018838a710ebc0cc1a7bf74ebe73ad9f1 2019-03-12 15:32:12 -0300 to 2019-04-15 08:15:32 -0300 - Fix borrow so it fails in 2018 edition Fixes rust-lang/rust-by-example#1141 (rust-lang/rust-by-example#1152) - Replace lvalue and rvalue with place and value (rust-lang/rust-by-example#1160) - Mutate array in iter_mut() example (rust-lang/rust-by-example#1165) - Fix a typo ("half" -> "halve") (rust-lang/rust-by-example#1172) ## rustc-guide 8 commits in 464cb5b166378dff64619081dd4c42533a1eb989..99e1b1d53656be08654df399fc200584aebb50e4 2019-03-23 18:39:14 -0500 to 2019-04-20 09:57:54 -0500 - Update BodyId description - Update test-implementation chapter to current code - update chalk with new organization - move to subsection - fix MovePathIndex link - Update query chapter for the query macro rewrite - subchapter with information about `--error-format json` - Update query-evaluation-model-in-detail.md ## edition-guide 1 commits in b56ddb11548450a6df4edd1ed571b2bc304eb9e6..c413d42a207bd082f801ec0137c31b71e4bfed4c 2019-03-10 10:23:16 +0100 to 2019-04-22 01:14:56 +0200 - fix command (rust-lang/edition-guide#155) ## embedded-book 1 commits in 7989c723607ef5b13b57208022259e6c771e11d0..de3d55f521e657863df45260ebbca1b10527f662 2019-04-04 12:14:37 +0000 to 2019-04-22 12:58:28 +0000 - Minor fixes (rust-embedded/book#185) ## nomicon 6 commits in c02e0e7754a76886e55b976a3a4fac20100cd35d..fb29b147be4d9a1f8e24aba753a7e1de537abf61 2019-03-25 16:52:56 -0400 to 2019-04-22 19:10:29 -0400 - Fix link to copy_nonoverlapping (rust-lang/nomicon#134) - Various unchecked-uninit improvements (rust-lang/nomicon#130) - OOM behaviour in `vec-alloc.md` (rust-lang/nomicon#133) - Added missing "things". (rust-lang/nomicon#131) - Fix number agreement in subtyping chapter (rust-lang/nomicon#128) - Minor improvements (rust-lang/nomicon#129)
Update cargo, books ## cargo 5 commits in b6581d383ed596b133e330011658c6f83cf85c2f..6be12653dcefb46ee7b605f063ee75b5e6cba513 2019-04-16 16:02:11 +0000 to 2019-04-19 15:05:03 +0000 - Improved docs for `maintenance` options (rust-lang/cargo#6863) - publish-lockfile: Various updates (rust-lang/cargo#6840) - Treat HTTP/2 stream errors as spurious network errors. (rust-lang/cargo#6861) - Validate registry token before operations that require it. (rust-lang/cargo#6854) - Cleanups wrt DYLD_FALLBACK_LIBRARY_PATH handling (rust-lang/cargo#6856) ## reference 2 commits in 98f90ff..2a2de9c 2019-04-06 09:29:08 -0700 to 2019-04-22 10:25:52 -0700 - Remove unused link references. (rust-lang/reference#560) - Fix attribute redirects. (rust-lang/reference#562) ## book 22 commits in b93ec30bbc7b1b5c2f44223249ab359bed2ed5a6..db919bc6bb9071566e9c4f05053672133eaac33e 2019-03-26 16:54:10 -0400 to 2019-04-15 20:11:03 -0400 - Link to chapters mentioned in chapter 12 - Split up a long sentence - Unclear wording 4.3 (rust-lang/book#1907) - Corrected error for array out of bounds (rust-lang/book#1900) - Make lifetime explanation clearer (rust-lang/book#1901) - Replace `T: 'a + Messenger` with `T: Messenger` (rust-lang/book#1831) - Update range so matches rust-fmt . (rust-lang/book#1890) - Adding trailing comma (rust-lang/book#1891) - point 2018 book redirects to existing pages instead of index (rust-lang/book#1919) - Update ch04-03-slices.md (rust-lang/book#1921) - Update link for Russian translation. (rust-lang/book#1915) - Ch7 layout (rust-lang/book#1917) - Update the version of mdbook we use in-tree to match rust-lang/rust (rust-lang/book#1912) - Fix spellingz - Update listings in ch 19-6 for nostarch - Add a high-level overview of the changes in this version of the book - Fix Travis CI badge url (rust-lang/book#1893) - Redo listing numbers in chapter 19 after removals - Remove Advanced Lifetimes section completely - Merge branch 'gh1780' - Merge remote-tracking branch 'origin/master' into gh1567 - remove lifetime subtyping ## rust-by-example 4 commits in f68ef3d0f4959f6a7d92a08d9994b117f0f4d32d..1ff0f8e018838a710ebc0cc1a7bf74ebe73ad9f1 2019-03-12 15:32:12 -0300 to 2019-04-15 08:15:32 -0300 - Fix borrow so it fails in 2018 edition Fixes rust-lang/rust-by-example#1141 (rust-lang/rust-by-example#1152) - Replace lvalue and rvalue with place and value (rust-lang/rust-by-example#1160) - Mutate array in iter_mut() example (rust-lang/rust-by-example#1165) - Fix a typo ("half" -> "halve") (rust-lang/rust-by-example#1172) ## rustc-guide 8 commits in 464cb5b166378dff64619081dd4c42533a1eb989..99e1b1d53656be08654df399fc200584aebb50e4 2019-03-23 18:39:14 -0500 to 2019-04-20 09:57:54 -0500 - Update BodyId description - Update test-implementation chapter to current code - update chalk with new organization - move to subsection - fix MovePathIndex link - Update query chapter for the query macro rewrite - subchapter with information about `--error-format json` - Update query-evaluation-model-in-detail.md ## edition-guide 1 commits in b56ddb11548450a6df4edd1ed571b2bc304eb9e6..c413d42a207bd082f801ec0137c31b71e4bfed4c 2019-03-10 10:23:16 +0100 to 2019-04-22 01:14:56 +0200 - fix command (rust-lang/edition-guide#155) ## embedded-book 1 commits in 7989c723607ef5b13b57208022259e6c771e11d0..de3d55f521e657863df45260ebbca1b10527f662 2019-04-04 12:14:37 +0000 to 2019-04-22 12:58:28 +0000 - Minor fixes (rust-embedded/book#185) ## nomicon 6 commits in c02e0e7754a76886e55b976a3a4fac20100cd35d..fb29b147be4d9a1f8e24aba753a7e1de537abf61 2019-03-25 16:52:56 -0400 to 2019-04-22 19:10:29 -0400 - Fix link to copy_nonoverlapping (rust-lang/nomicon#134) - Various unchecked-uninit improvements (rust-lang/nomicon#130) - OOM behaviour in `vec-alloc.md` (rust-lang/nomicon#133) - Added missing "things". (rust-lang/nomicon#131) - Fix number agreement in subtyping chapter (rust-lang/nomicon#128) - Minor improvements (rust-lang/nomicon#129)
This is a collection of changes to the
publish-lockfilefeature. They are separated by commit (see each for more detailed commit messages), and I can separate them into separate PRs if necessary.Cargo.lockwhen creating a package.Cargo.lockincargo installby default (requires--lockedto use).