From ebb5764ad80a1c2a985c6b08217e3adf0ece00f5 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Fri, 5 Apr 2019 13:25:08 -0700
Subject: [PATCH 01/12] Move publish-lockfile tests to a dedicated file.

---
 tests/testsuite/main.rs             |   1 +
 tests/testsuite/package.rs          | 167 ---------------------------
 tests/testsuite/publish_lockfile.rs | 171 ++++++++++++++++++++++++++++
 3 files changed, 172 insertions(+), 167 deletions(-)
 create mode 100644 tests/testsuite/publish_lockfile.rs

diff --git a/tests/testsuite/main.rs b/tests/testsuite/main.rs
index 95030c03718..ddc922ce894 100644
--- a/tests/testsuite/main.rs
+++ b/tests/testsuite/main.rs
@@ -68,6 +68,7 @@ mod profile_overrides;
 mod profile_targets;
 mod profiles;
 mod publish;
+mod publish_lockfile;
 mod read_manifest;
 mod registry;
 mod rename_deps;
diff --git a/tests/testsuite/package.rs b/tests/testsuite/package.rs
index 2b2a3555007..64a2e051b1a 100644
--- a/tests/testsuite/package.rs
+++ b/tests/testsuite/package.rs
@@ -1018,173 +1018,6 @@ Caused by:
         .run();
 }
 
-#[test]
-fn package_lockfile() {
-    let p = project()
-        .file(
-            "Cargo.toml",
-            r#"
-            cargo-features = ["publish-lockfile"]
-
-            [project]
-            name = "foo"
-            version = "0.0.1"
-            authors = []
-            license = "MIT"
-            description = "foo"
-            publish-lockfile = true
-        "#,
-        )
-        .file("src/main.rs", "fn main() {}")
-        .build();
-
-    p.cargo("package")
-        .masquerade_as_nightly_cargo()
-        .with_stderr(
-            "\
-[WARNING] manifest has no documentation[..]
-See [..]
-[PACKAGING] foo v0.0.1 ([CWD])
-[VERIFYING] foo v0.0.1 ([CWD])
-[COMPILING] foo v0.0.1 ([CWD][..])
-[FINISHED] dev [unoptimized + debuginfo] target(s) in [..]
-",
-        )
-        .run();
-    assert!(p.root().join("target/package/foo-0.0.1.crate").is_file());
-    p.cargo("package -l")
-        .masquerade_as_nightly_cargo()
-        .with_stdout(
-            "\
-Cargo.lock
-Cargo.toml
-src/main.rs
-",
-        )
-        .run();
-    p.cargo("package")
-        .masquerade_as_nightly_cargo()
-        .with_stdout("")
-        .run();
-
-    let f = File::open(&p.root().join("target/package/foo-0.0.1.crate")).unwrap();
-    validate_crate_contents(
-        f,
-        "foo-0.0.1.crate",
-        &["Cargo.toml", "Cargo.toml.orig", "Cargo.lock", "src/main.rs"],
-        &[],
-    );
-}
-
-#[test]
-fn package_lockfile_git_repo() {
-    let p = project().build();
-
-    // Create a Git repository containing a minimal Rust project.
-    let _ = git::repo(&paths::root().join("foo"))
-        .file(
-            "Cargo.toml",
-            r#"
-            cargo-features = ["publish-lockfile"]
-
-            [project]
-            name = "foo"
-            version = "0.0.1"
-            license = "MIT"
-            description = "foo"
-            documentation = "foo"
-            homepage = "foo"
-            repository = "foo"
-            publish-lockfile = true
-        "#,
-        )
-        .file("src/main.rs", "fn main() {}")
-        .build();
-    p.cargo("package -l")
-        .masquerade_as_nightly_cargo()
-        .with_stdout(
-            "\
-.cargo_vcs_info.json
-Cargo.lock
-Cargo.toml
-src/main.rs
-",
-        )
-        .run();
-}
-
-#[test]
-fn no_lock_file_with_library() {
-    let p = project()
-        .file(
-            "Cargo.toml",
-            r#"
-            cargo-features = ["publish-lockfile"]
-
-            [project]
-            name = "foo"
-            version = "0.0.1"
-            authors = []
-            license = "MIT"
-            description = "foo"
-            publish-lockfile = true
-        "#,
-        )
-        .file("src/lib.rs", "")
-        .build();
-
-    p.cargo("package").masquerade_as_nightly_cargo().run();
-
-    let f = File::open(&p.root().join("target/package/foo-0.0.1.crate")).unwrap();
-    validate_crate_contents(
-        f,
-        "foo-0.0.1.crate",
-        &["Cargo.toml", "Cargo.toml.orig", "src/lib.rs"],
-        &[],
-    );
-}
-
-#[test]
-fn lock_file_and_workspace() {
-    let p = project()
-        .file(
-            "Cargo.toml",
-            r#"
-            [workspace]
-            members = ["foo"]
-        "#,
-        )
-        .file(
-            "foo/Cargo.toml",
-            r#"
-            cargo-features = ["publish-lockfile"]
-
-            [package]
-            name = "foo"
-            version = "0.0.1"
-            authors = []
-            license = "MIT"
-            description = "foo"
-            publish-lockfile = true
-        "#,
-        )
-        .file("foo/src/main.rs", "fn main() {}")
-        .build();
-
-    p.cargo("package")
-        .cwd("foo")
-        .masquerade_as_nightly_cargo()
-        .run();
-
-    let f = File::open(&p.root().join("target/package/foo-0.0.1.crate")).unwrap();
-    validate_crate_contents(
-        f,
-        "foo-0.0.1.crate",
-        &["Cargo.toml", "Cargo.toml.orig", "src/main.rs", "Cargo.lock"],
-        &[],
-    );
-}
-
 #[test]
 fn do_not_package_if_src_was_modified() {
     let p = project()
diff --git a/tests/testsuite/publish_lockfile.rs b/tests/testsuite/publish_lockfile.rs
new file mode 100644
index 00000000000..5aa0caa3f10
--- /dev/null
+++ b/tests/testsuite/publish_lockfile.rs
@@ -0,0 +1,171 @@
+use std;
+use std::fs::File;
+
+use crate::support::{git, paths, project, publish::validate_crate_contents};
+
+#[test]
+fn package_lockfile() {
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            cargo-features = ["publish-lockfile"]
+
+            [project]
+            name = "foo"
+            version = "0.0.1"
+            authors = []
+            license = "MIT"
+            description = "foo"
+            publish-lockfile = true
+        "#,
+        )
+        .file("src/main.rs", "fn main() {}")
+        .build();
+
+    p.cargo("package")
+        .masquerade_as_nightly_cargo()
+        .with_stderr(
+            "\
+[WARNING] manifest has no documentation[..]
+See [..]
+[PACKAGING] foo v0.0.1 ([CWD])
+[VERIFYING] foo v0.0.1 ([CWD])
+[COMPILING] foo v0.0.1 ([CWD][..])
+[FINISHED] dev [unoptimized + debuginfo] target(s) in [..]
+",
+        )
+        .run();
+    assert!(p.root().join("target/package/foo-0.0.1.crate").is_file());
+    p.cargo("package -l")
+        .masquerade_as_nightly_cargo()
+        .with_stdout(
+            "\
+Cargo.lock
+Cargo.toml
+src/main.rs
+",
+        )
+        .run();
+    p.cargo("package")
+        .masquerade_as_nightly_cargo()
+        .with_stdout("")
+        .run();
+
+    let f = File::open(&p.root().join("target/package/foo-0.0.1.crate")).unwrap();
+    validate_crate_contents(
+        f,
+        "foo-0.0.1.crate",
+        &["Cargo.toml", "Cargo.toml.orig", "Cargo.lock", "src/main.rs"],
+        &[],
+    );
+}
+
+#[test]
+fn package_lockfile_git_repo() {
+    let p = project().build();
+
+    // Create a Git repository containing a minimal Rust project.
+    let _ = git::repo(&paths::root().join("foo"))
+        .file(
+            "Cargo.toml",
+            r#"
+            cargo-features = ["publish-lockfile"]
+
+            [project]
+            name = "foo"
+            version = "0.0.1"
+            license = "MIT"
+            description = "foo"
+            documentation = "foo"
+            homepage = "foo"
+            repository = "foo"
+            publish-lockfile = true
+        "#,
+        )
+        .file("src/main.rs", "fn main() {}")
+        .build();
+    p.cargo("package -l")
+        .masquerade_as_nightly_cargo()
+        .with_stdout(
+            "\
+.cargo_vcs_info.json
+Cargo.lock
+Cargo.toml
+src/main.rs
+",
+        )
+        .run();
+}
+
+#[test]
+fn no_lock_file_with_library() {
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            cargo-features = ["publish-lockfile"]
+
+            [project]
+            name = "foo"
+            version = "0.0.1"
+            authors = []
+            license = "MIT"
+            description = "foo"
+            publish-lockfile = true
+        "#,
+        )
+        .file("src/lib.rs", "")
+        .build();
+
+    p.cargo("package").masquerade_as_nightly_cargo().run();
+
+    let f = File::open(&p.root().join("target/package/foo-0.0.1.crate")).unwrap();
+    validate_crate_contents(
+        f,
+        "foo-0.0.1.crate",
+        &["Cargo.toml", "Cargo.toml.orig", "src/lib.rs"],
+        &[],
+    );
+}
+
+#[test]
+fn lock_file_and_workspace() {
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            [workspace]
+            members = ["foo"]
+        "#,
+        )
+        .file(
+            "foo/Cargo.toml",
+            r#"
+            cargo-features = ["publish-lockfile"]
+
+            [package]
+            name = "foo"
+            version = "0.0.1"
+            authors = []
+            license = "MIT"
+            description = "foo"
+            publish-lockfile = true
+        "#,
+        )
+        .file("foo/src/main.rs", "fn main() {}")
+        .build();
+
+    p.cargo("package")
+        .cwd("foo")
+        .masquerade_as_nightly_cargo()
+        .run();
+
+    let f = File::open(&p.root().join("target/package/foo-0.0.1.crate")).unwrap();
+    validate_crate_contents(
+        f,
+        "foo-0.0.1.crate",
+        &["Cargo.toml", "Cargo.toml.orig", "src/main.rs", "Cargo.lock"],
+        &[],
+    );
+}

From 27932ead44548259e150756df00e40a1feecbc33 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Sun, 7 Apr 2019 14:58:56 -0700
Subject: [PATCH 02/12] publish-lockfile: Always check Cargo.lock is
 up-to-date.

This changes it so that `cargo package` will make sure the Cargo.lock file is
in sync with the Cargo.toml that is generated during packaging. This has several
points:

- This makes the Cargo.lock more accurately reflect what would be locked
  if a user runs `cargo install` on the resulting package.
- In a workspace, this removes irrelevant packages from the lock file.
- This handles `[patch]` dependencies and dual-source dependencies (like
  path/version).
- Warnings are generated for any differences in the lock file compared to the
  original.

This has a significant change in how `cargo package` works. It now
unconditionally copies the package to `target/package`. Previously this was only
done during the verification step. This is necessary to run the resolver against
the new `Cargo.toml` that gets generated.
---
 src/cargo/ops/cargo_package.rs      | 179 +++++++++++++++----
 tests/testsuite/publish_lockfile.rs | 267 +++++++++++++++++++++-------
 2 files changed, 347 insertions(+), 99 deletions(-)

diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index 6409d7780de..35f73a495e5 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -1,18 +1,18 @@
-use std::collections::HashMap;
+use std::collections::{BTreeSet, HashMap};
 use std::fs::{self, File};
 use std::io::prelude::*;
 use std::io::SeekFrom;
 use std::path::{self, Path, PathBuf};
 use std::sync::Arc;
 
-use flate2::read::GzDecoder;
 use flate2::{Compression, GzBuilder};
 use log::debug;
 use serde_json::{self, json};
-use tar::{Archive, Builder, EntryType, Header};
+use tar::{Builder, EntryType, Header};
 
 use crate::core::compiler::{BuildConfig, CompileMode, DefaultExecutor, Executor};
-use crate::core::{Package, Source, SourceId, Workspace};
+use crate::core::resolver::Method;
+use crate::core::{Package, PackageId, PackageIdSpec, Resolve, Source, SourceId, Workspace};
 use crate::ops;
 use crate::sources::PathSource;
 use crate::util::errors::{CargoResult, CargoResultExt};
@@ -35,7 +35,6 @@ pub struct PackageOpts<'cfg> {
 static VCS_INFO_FILE: &'static str = ".cargo_vcs_info.json";
 
 pub fn package(ws: &Workspace<'_>, opts: &PackageOpts<'_>) -> CargoResult<Option<FileLock>> {
-    ops::resolve_ws(ws)?;
     let pkg = ws.current()?;
     let config = ws.config();
 
@@ -100,7 +99,7 @@ pub fn package(ws: &Workspace<'_>, opts: &PackageOpts<'_>) -> CargoResult<Option
         .shell()
         .status("Packaging", pkg.package_id().to_string())?;
     dst.file().set_len(0)?;
-    tar(ws, &src_files, vcs_info.as_ref(), dst.file(), &filename)
+    tar(ws, &src_files, vcs_info.as_ref(), &dst, &filename)
         .chain_err(|| failure::format_err!("failed to prepare local package for uploading"))?;
     if opts.verify {
         dst.seek(SeekFrom::Start(0))?;
@@ -281,35 +280,43 @@ fn tar(
     ws: &Workspace<'_>,
     src_files: &[PathBuf],
     vcs_info: Option<&serde_json::Value>,
-    dst: &File,
+    dst: &FileLock,
     filename: &str,
 ) -> CargoResult<()> {
     // Prepare the encoder and its header.
     let filename = Path::new(filename);
     let encoder = GzBuilder::new()
         .filename(util::path2bytes(filename)?)
-        .write(dst, Compression::best());
+        .write(dst.file(), Compression::best());
 
     // Put all package files into a compressed archive.
     let mut ar = Builder::new(encoder);
     let pkg = ws.current()?;
     let config = ws.config();
     let root = pkg.root();
-    for file in src_files.iter() {
-        let relative = file.strip_prefix(root)?;
+    // While creating the tar file, also copy to the output directory.
+    let dest_copy_root = dst
+        .parent()
+        .join(format!("{}-{}", pkg.name(), pkg.version()));
+    if dest_copy_root.exists() {
+        paths::remove_dir_all(&dest_copy_root)?;
+    }
+    fs::create_dir_all(&dest_copy_root)?;
+    for src_file in src_files {
+        let relative = src_file.strip_prefix(root)?;
         check_filename(relative)?;
-        let relative = relative.to_str().ok_or_else(|| {
+        let relative_str = relative.to_str().ok_or_else(|| {
             failure::format_err!("non-utf8 path in source directory: {}", relative.display())
         })?;
         config
             .shell()
-            .verbose(|shell| shell.status("Archiving", &relative))?;
+            .verbose(|shell| shell.status("Archiving", &relative_str))?;
         let path = format!(
             "{}-{}{}{}",
             pkg.name(),
             pkg.version(),
             path::MAIN_SEPARATOR,
-            relative
+            relative_str
         );
 
         // The `tar::Builder` type by default will build GNU archives, but
@@ -333,20 +340,21 @@ fn tar(
         let mut header = Header::new_ustar();
         header
             .set_path(&path)
-            .chain_err(|| format!("failed to add to archive: `{}`", relative))?;
-        let mut file = File::open(file)
-            .chain_err(|| format!("failed to open for archiving: `{}`", file.display()))?;
+            .chain_err(|| format!("failed to add to archive: `{}`", relative_str))?;
+        let mut file = File::open(src_file)
+            .chain_err(|| format!("failed to open for archiving: `{}`", src_file.display()))?;
         let metadata = file
             .metadata()
-            .chain_err(|| format!("could not learn metadata for: `{}`", relative))?;
+            .chain_err(|| format!("could not learn metadata for: `{}`", relative_str))?;
         header.set_metadata(&metadata);
 
-        if relative == "Cargo.toml" {
+        if relative_str == "Cargo.toml" {
             let orig = Path::new(&path).with_file_name("Cargo.toml.orig");
             header.set_path(&orig)?;
             header.set_cksum();
-            ar.append(&header, &mut file)
-                .chain_err(|| internal(format!("could not archive source file `{}`", relative)))?;
+            ar.append(&header, &mut file).chain_err(|| {
+                internal(format!("could not archive source file `{}`", relative_str))
+            })?;
 
             let mut header = Header::new_ustar();
             let toml = pkg.to_registry_toml(ws.config())?;
@@ -355,12 +363,22 @@ fn tar(
             header.set_mode(0o644);
             header.set_size(toml.len() as u64);
             header.set_cksum();
-            ar.append(&header, toml.as_bytes())
-                .chain_err(|| internal(format!("could not archive source file `{}`", relative)))?;
+            ar.append(&header, toml.as_bytes()).chain_err(|| {
+                internal(format!("could not archive source file `{}`", relative_str))
+            })?;
+            fs::write(dest_copy_root.join(relative), toml)?;
+            fs::copy(src_file, dest_copy_root.join("Cargo.toml.orig"))?;
         } else {
             header.set_cksum();
-            ar.append(&header, &mut file)
-                .chain_err(|| internal(format!("could not archive source file `{}`", relative)))?;
+            ar.append(&header, &mut file).chain_err(|| {
+                internal(format!("could not archive source file `{}`", relative_str))
+            })?;
+            let dest = dest_copy_root.join(relative);
+            let parent = dest.parent().unwrap();
+            if !parent.exists() {
+                fs::create_dir_all(parent)?;
+            }
+            fs::copy(src_file, dest)?;
         }
     }
 
@@ -394,7 +412,27 @@ fn tar(
     }
 
     if include_lockfile(pkg) {
-        let toml = paths::read(&ws.root().join("Cargo.lock"))?;
+        let orig_lock_path = ws.root().join("Cargo.lock");
+        let new_lock_path = dest_copy_root.join("Cargo.lock");
+        if orig_lock_path.exists() {
+            fs::copy(&orig_lock_path, &new_lock_path)?;
+        }
+
+        // Regenerate Cargo.lock using the old one as a guide.
+        let orig_resolve = ops::load_pkg_lockfile(ws)?;
+        let id = SourceId::for_path(&dest_copy_root)?;
+        let mut src = PathSource::new(&dest_copy_root, id, ws.config());
+        let new_pkg = src.root_package()?;
+        let specs = vec![PackageIdSpec::from_package_id(new_pkg.package_id())];
+        let tmp_ws = Workspace::ephemeral(new_pkg, config, None, true)?;
+        let new_resolve = ops::resolve_ws_with_method(&tmp_ws, None, Method::Everything, &specs)?.1;
+        // resolve_ws_with_method won't save for ephemeral, do it manually.
+        ops::write_pkg_lockfile(&tmp_ws, &new_resolve)?;
+        if let Some(orig_resolve) = orig_resolve {
+            compare_resolve(config, tmp_ws.current()?, &orig_resolve, &new_resolve)?;
+        }
+
+        let toml = paths::read(&new_lock_path)?;
         let path = format!(
             "{}-{}{}Cargo.lock",
             pkg.name(),
@@ -416,24 +454,97 @@ fn tar(
     Ok(())
 }
 
+/// Generate warnings when packaging Cargo.lock, and the resolve have changed.
+fn compare_resolve(
+    config: &Config,
+    current_pkg: &Package,
+    orig_resolve: &Resolve,
+    new_resolve: &Resolve,
+) -> CargoResult<()> {
+    let new_set: BTreeSet<PackageId> = new_resolve.iter().collect();
+    let orig_set: BTreeSet<PackageId> = orig_resolve.iter().collect();
+    let added = new_set.difference(&orig_set);
+    // Removed entries are ignored, this is used to quickly find hints for why
+    // an entry changed.
+    let removed: Vec<&PackageId> = orig_set.difference(&new_set).collect();
+    for pkg_id in added {
+        if pkg_id.name() == current_pkg.name() && pkg_id.version() == current_pkg.version() {
+            // Skip the package that is being created, since its SourceId
+            // (directory) changes.
+            continue;
+        }
+        // Check for candidates where the source has changed (such as [patch]
+        // or a dependency with multiple sources like path/version).
+        let removed_candidates: Vec<&PackageId> = removed
+            .iter()
+            .filter(|orig_pkg_id| {
+                orig_pkg_id.name() == pkg_id.name() && orig_pkg_id.version() == pkg_id.version()
+            })
+            .cloned()
+            .collect();
+        let extra = match removed_candidates.len() {
+            0 => {
+                // This can happen if the original was out of date.
+                let previous_versions: Vec<&PackageId> = removed
+                    .iter()
+                    .filter(|orig_pkg_id| orig_pkg_id.name() == pkg_id.name())
+                    .cloned()
+                    .collect();
+                match previous_versions.len() {
+                    0 => String::new(),
+                    1 => format!(
+                        ", previous version was `{}`",
+                        previous_versions[0].version()
+                    ),
+                    _ => format!(
+                        ", previous versions were: {}",
+                        previous_versions
+                            .iter()
+                            .map(|pkg_id| format!("`{}`", pkg_id.version()))
+                            .collect::<Vec<_>>()
+                            .join(", ")
+                    ),
+                }
+            }
+            1 => {
+                // This can happen for multi-sourced dependencies like
+                // `{path="...", version="..."}` or `[patch]` replacement.
+                // `[replace]` is not captured in Cargo.lock.
+                format!(
+                    ", was originally sourced from `{}`",
+                    removed_candidates[0].source_id()
+                )
+            }
+            _ => {
+                // I don't know if there is a way to actually trigger this,
+                // but handle it just in case.
+                let comma_list = removed_candidates
+                    .iter()
+                    .map(|pkg_id| format!("`{}`", pkg_id.source_id()))
+                    .collect::<Vec<_>>()
+                    .join(", ");
+                format!(
+                    ", was originally sourced from one of these sources: {}",
+                    comma_list
+                )
+            }
+        };
+        config
+            .shell()
+            .warn(format!("package `{}` added to Cargo.lock{}", pkg_id, extra))?;
+    }
+    Ok(())
+}
+
 fn run_verify(ws: &Workspace<'_>, tar: &FileLock, opts: &PackageOpts<'_>) -> CargoResult<()> {
     let config = ws.config();
     let pkg = ws.current()?;
 
     config.shell().status("Verifying", pkg)?;
 
-    let f = GzDecoder::new(tar.file());
     let dst = tar
         .parent()
         .join(&format!("{}-{}", pkg.name(), pkg.version()));
-    if dst.exists() {
-        paths::remove_dir_all(&dst)?;
-    }
-    let mut archive = Archive::new(f);
-    // We don't need to set the Modified Time, as it's not relevant to verification
-    // and it errors on filesystems that don't support setting a modified timestamp
-    archive.set_preserve_mtime(false);
-    archive.unpack(dst.parent().unwrap())?;
 
     // Manufacture an ephemeral workspace to ensure that even if the top-level
     // package has a workspace we can still build our new crate.
diff --git a/tests/testsuite/publish_lockfile.rs b/tests/testsuite/publish_lockfile.rs
index 5aa0caa3f10..de04876f4f2 100644
--- a/tests/testsuite/publish_lockfile.rs
+++ b/tests/testsuite/publish_lockfile.rs
@@ -1,25 +1,37 @@
 use std;
 use std::fs::File;
 
-use crate::support::{git, paths, project, publish::validate_crate_contents};
+use crate::support::registry::Package;
+use crate::support::{
+    basic_manifest, cargo_process, git, paths, project, publish::validate_crate_contents,
+};
+
+fn pl_manifest(name: &str, version: &str, extra: &str) -> String {
+    format!(
+        r#"
+        cargo-features = ["publish-lockfile"]
+
+        [project]
+        name = "{}"
+        version = "{}"
+        authors = []
+        license = "MIT"
+        description = "foo"
+        documentation = "foo"
+        homepage = "foo"
+        repository = "foo"
+        publish-lockfile = true
+
+        {}
+        "#,
+        name, version, extra
+    )
+}
 
 #[test]
 fn package_lockfile() {
     let p = project()
-        .file(
-            "Cargo.toml",
-            r#"
-            cargo-features = ["publish-lockfile"]
-
-            [project]
-            name = "foo"
-            version = "0.0.1"
-            authors = []
-            license = "MIT"
-            description = "foo"
-            publish-lockfile = true
-        "#,
-        )
+        .file("Cargo.toml", &pl_manifest("foo", "0.0.1", ""))
         .file("src/main.rs", "fn main() {}")
         .build();
 
@@ -27,8 +39,6 @@ fn package_lockfile() {
         .masquerade_as_nightly_cargo()
         .with_stderr(
             "\
-[WARNING] manifest has no documentation[..]
-See [..]
 [PACKAGING] foo v0.0.1 ([CWD])
 [VERIFYING] foo v0.0.1 ([CWD])
 [COMPILING] foo v0.0.1 ([CWD][..])
@@ -63,29 +73,13 @@ src/main.rs
 
 #[test]
 fn package_lockfile_git_repo() {
-    let p = project().build();
-
     // Create a Git repository containing a minimal Rust project.
-    let _ = git::repo(&paths::root().join("foo"))
-        .file(
-            "Cargo.toml",
-            r#"
-            cargo-features = ["publish-lockfile"]
-
-            [project]
-            name = "foo"
-            version = "0.0.1"
-            license = "MIT"
-            description = "foo"
-            documentation = "foo"
-            homepage = "foo"
-            repository = "foo"
-            publish-lockfile = true
-        "#,
-        )
+    let g = git::repo(&paths::root().join("foo"))
+        .file("Cargo.toml", &pl_manifest("foo", "0.0.1", ""))
         .file("src/main.rs", "fn main() {}")
         .build();
-    p.cargo("package -l")
+    cargo_process("package -l")
+        .cwd(g.root())
         .masquerade_as_nightly_cargo()
         .with_stdout(
             "\
@@ -101,20 +95,7 @@ src/main.rs
 #[test]
 fn no_lock_file_with_library() {
     let p = project()
-        .file(
-            "Cargo.toml",
-            r#"
-            cargo-features = ["publish-lockfile"]
-
-            [project]
-            name = "foo"
-            version = "0.0.1"
-            authors = []
-            license = "MIT"
-            description = "foo"
-            publish-lockfile = true
-        "#,
-        )
+        .file("Cargo.toml", &pl_manifest("foo", "0.0.1", ""))
         .file("src/lib.rs", "")
         .build();
 
@@ -139,20 +120,7 @@ fn lock_file_and_workspace() {
             members = ["foo"]
         "#,
         )
-        .file(
-            "foo/Cargo.toml",
-            r#"
-            cargo-features = ["publish-lockfile"]
-
-            [package]
-            name = "foo"
-            version = "0.0.1"
-            authors = []
-            license = "MIT"
-            description = "foo"
-            publish-lockfile = true
-        "#,
-        )
+        .file("foo/Cargo.toml", &pl_manifest("foo", "0.0.1", ""))
         .file("foo/src/main.rs", "fn main() {}")
         .build();
 
@@ -169,3 +137,172 @@ fn lock_file_and_workspace() {
         &[],
     );
 }
+
+#[test]
+fn warn_resolve_changes() {
+    // `multi` has multiple sources (path and registry).
+    Package::new("mutli", "0.1.0").publish();
+    // `updated` is always from registry, but should not change.
+    Package::new("updated", "1.0.0").publish();
+    // `patched` is [patch]ed.
+    Package::new("patched", "1.0.0").publish();
+
+    let p = project()
+        .file(
+            "Cargo.toml",
+            &pl_manifest(
+                "foo",
+                "0.0.1",
+                r#"
+                [dependencies]
+                mutli = { path = "mutli", version = "0.1" }
+                updated = "1.0"
+                patched = "1.0"
+
+                [patch.crates-io]
+                patched = { path = "patched" }
+                "#,
+            ),
+        )
+        .file("src/main.rs", "fn main() {}")
+        .file("mutli/Cargo.toml", &basic_manifest("mutli", "0.1.0"))
+        .file("mutli/src/lib.rs", "")
+        .file("patched/Cargo.toml", &basic_manifest("patched", "1.0.0"))
+        .file("patched/src/lib.rs", "")
+        .build();
+
+    p.cargo("generate-lockfile")
+        .masquerade_as_nightly_cargo()
+        .run();
+
+    // Make sure this does not change or warn.
+    Package::new("updated", "1.0.1").publish();
+
+    p.cargo("package --no-verify")
+        .masquerade_as_nightly_cargo()
+        .with_stderr_unordered(
+            "\
+[PACKAGING] foo v0.0.1 ([..])
+[UPDATING] `[..]` index
+[WARNING] package `mutli v0.1.0` added to Cargo.lock, was originally sourced from `[..]/foo/mutli`
+[WARNING] package `patched v1.0.0` added to Cargo.lock, was originally sourced from `[..]/foo/patched`
+",
+        )
+        .run();
+}
+
+#[test]
+fn outdated_lock_version_change_does_not_warn() {
+    // If the version of the package being packaged changes, but Cargo.lock is
+    // not updated, don't bother warning about it.
+    let p = project()
+        .file("Cargo.toml", &pl_manifest("foo", "0.1.0", ""))
+        .file("src/main.rs", "fn main() {}")
+        .build();
+
+    p.cargo("generate-lockfile")
+        .masquerade_as_nightly_cargo()
+        .run();
+
+    p.change_file("Cargo.toml", &pl_manifest("foo", "0.2.0", ""));
+
+    p.cargo("package --no-verify")
+        .masquerade_as_nightly_cargo()
+        .with_stderr("[PACKAGING] foo v0.2.0 ([..])")
+        .run();
+}
+
+#[test]
+fn no_warn_workspace_extras() {
+    // Other entries in workspace lock file should be ignored.
+    Package::new("dep1", "1.0.0").publish();
+    Package::new("dep2", "1.0.0").publish();
+
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            [workspace]
+            members = ["a", "b"]
+            "#,
+        )
+        .file(
+            "a/Cargo.toml",
+            &pl_manifest(
+                "a",
+                "0.1.0",
+                r#"
+                [dependencies]
+                dep1 = "1.0"
+                "#,
+            ),
+        )
+        .file("a/src/main.rs", "fn main() {}")
+        .file(
+            "b/Cargo.toml",
+            &pl_manifest(
+                "b",
+                "0.1.0",
+                r#"
+                [dependencies]
+                dep2 = "1.0"
+                "#,
+            ),
+        )
+        .file("b/src/main.rs", "fn main() {}")
+        .build();
+    p.cargo("generate-lockfile")
+        .masquerade_as_nightly_cargo()
+        .run();
+    p.cargo("package --no-verify")
+        .cwd("a")
+        .masquerade_as_nightly_cargo()
+        .with_stderr("[PACKAGING] a v0.1.0 ([..])")
+        .run();
+}
+
+#[test]
+fn out_of_date_lock_warn() {
+    // Dependency is force-changed from an out-of-date Cargo.lock.
+    Package::new("dep", "1.0.0").publish();
+    Package::new("dep", "2.0.0").publish();
+
+    let p = project()
+        .file(
+            "Cargo.toml",
+            &pl_manifest(
+                "foo",
+                "0.0.1",
+                r#"
+                [dependencies]
+                dep = "1.0"
+                "#,
+            ),
+        )
+        .file("src/main.rs", "fn main() {}")
+        .build();
+    p.cargo("generate-lockfile")
+        .masquerade_as_nightly_cargo()
+        .run();
+    p.change_file(
+        "Cargo.toml",
+        &pl_manifest(
+            "foo",
+            "0.0.1",
+            r#"
+            [dependencies]
+            dep = "2.0"
+            "#,
+        ),
+    );
+    p.cargo("package --no-verify")
+        .masquerade_as_nightly_cargo()
+        .with_stderr(
+            "\
+[PACKAGING] foo v0.0.1 ([..])
+[UPDATING] `[..]` index
+[WARNING] package `dep v2.0.0` added to Cargo.lock, previous version was `1.0.0`
+",
+        )
+        .run();
+}

From 3d8937936717382db7f52a8819a6ea5393c9e8d8 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Sun, 7 Apr 2019 18:26:08 -0700
Subject: [PATCH 03/12] cargo install: Ignore Cargo.lock for non --path
 installs.

Requires `--locked` to use Cargo.lock for registry and git installs.
---
 src/cargo/core/workspace.rs    | 19 +++++++++++--
 src/cargo/ops/cargo_install.rs |  6 ++++-
 src/cargo/ops/resolve.rs       |  4 ++-
 tests/testsuite/install.rs     | 49 +++++++++++++++++++++++++++++++++-
 4 files changed, 73 insertions(+), 5 deletions(-)

diff --git a/src/cargo/core/workspace.rs b/src/cargo/core/workspace.rs
index 45b6a7877ae..1b0c6bd0deb 100644
--- a/src/cargo/core/workspace.rs
+++ b/src/cargo/core/workspace.rs
@@ -77,6 +77,10 @@ pub struct Workspace<'cfg> {
     // A cache of loaded packages for particular paths which is disjoint from
     // `packages` up above, used in the `load` method down below.
     loaded_packages: RefCell<HashMap<PathBuf, Package>>,
+
+    // If `true`, then the resolver will ignore any existing `Cargo.lock`
+    // file. This is set for `cargo install` without `--locked`.
+    ignore_lock: bool,
 }
 
 // Separate structure for tracking loaded packages (to avoid loading anything
@@ -148,6 +152,7 @@ impl<'cfg> Workspace<'cfg> {
             is_ephemeral: false,
             require_optional_deps: true,
             loaded_packages: RefCell::new(HashMap::new()),
+            ignore_lock: false,
         };
         ws.root_manifest = ws.find_root(manifest_path)?;
         ws.find_members()?;
@@ -184,6 +189,7 @@ impl<'cfg> Workspace<'cfg> {
             is_ephemeral: true,
             require_optional_deps,
             loaded_packages: RefCell::new(HashMap::new()),
+            ignore_lock: false,
         };
         {
             let key = ws.current_manifest.parent().unwrap();
@@ -320,14 +326,23 @@ impl<'cfg> Workspace<'cfg> {
         self.require_optional_deps
     }
 
-    pub fn set_require_optional_deps<'a>(
-        &'a mut self,
+    pub fn set_require_optional_deps(
+        &mut self,
         require_optional_deps: bool,
     ) -> &mut Workspace<'cfg> {
         self.require_optional_deps = require_optional_deps;
         self
     }
 
+    pub fn ignore_lock(&self) -> bool {
+        self.ignore_lock
+    }
+
+    pub fn set_ignore_lock(&mut self, ignore_lock: bool) -> &mut Workspace<'cfg> {
+        self.ignore_lock = ignore_lock;
+        self
+    }
+
     /// Finds the root of a workspace for the crate whose manifest is located
     /// at `manifest_path`.
     ///
diff --git a/src/cargo/ops/cargo_install.rs b/src/cargo/ops/cargo_install.rs
index 12ea145a13e..08c4693d34b 100644
--- a/src/cargo/ops/cargo_install.rs
+++ b/src/cargo/ops/cargo_install.rs
@@ -215,7 +215,11 @@ fn install_one(
     };
 
     let ws = match overidden_target_dir {
-        Some(dir) => Workspace::ephemeral(pkg, config, Some(dir), false)?,
+        Some(dir) => {
+            let mut ws = Workspace::ephemeral(pkg, config, Some(dir), false)?;
+            ws.set_ignore_lock(config.lock_update_allowed());
+            ws
+        }
         None => {
             let mut ws = Workspace::new(pkg.manifest_path(), config)?;
             ws.set_require_optional_deps(false);
diff --git a/src/cargo/ops/resolve.rs b/src/cargo/ops/resolve.rs
index f14abf1821d..1532fb31b91 100644
--- a/src/cargo/ops/resolve.rs
+++ b/src/cargo/ops/resolve.rs
@@ -64,7 +64,9 @@ pub fn resolve_ws_with_method<'a>(
     }
     let mut add_patches = true;
 
-    let resolve = if ws.require_optional_deps() {
+    let resolve = if ws.ignore_lock() {
+        None
+    } else if ws.require_optional_deps() {
         // First, resolve the root_package's *listed* dependencies, as well as
         // downloading and updating all remotes and such.
         let resolve = resolve_with_registry(ws, &mut registry, false)?;
diff --git a/tests/testsuite/install.rs b/tests/testsuite/install.rs
index 0a0ead7bc0a..ada9f3f5c5a 100644
--- a/tests/testsuite/install.rs
+++ b/tests/testsuite/install.rs
@@ -1190,6 +1190,8 @@ fn custom_target_dir_for_git_source() {
 
 #[test]
 fn install_respects_lock_file() {
+    // `cargo install` now requires --locked to use a Cargo.lock for non
+    // --path installs.
     Package::new("bar", "0.1.0").publish();
     Package::new("bar", "0.1.1")
         .file("src/lib.rs", "not rust")
@@ -1219,7 +1221,52 @@ dependencies = [
         )
         .publish();
 
-    cargo_process("install foo").run();
+    cargo_process("install foo")
+        .with_stderr_contains("[..]not rust[..]")
+        .with_status(101)
+        .run();
+    cargo_process("install --locked foo").run();
+}
+
+#[test]
+fn install_path_respects_lock_file() {
+    // For --path installs, always use local Cargo.lock.
+    Package::new("bar", "0.1.0").publish();
+    Package::new("bar", "0.1.1")
+        .file("src/lib.rs", "not rust")
+        .publish();
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            [package]
+            name = "foo"
+            version = "0.1.0"
+
+            [dependencies]
+            bar = "0.1"
+            "#,
+        )
+        .file("src/main.rs", "extern crate bar; fn main() {}")
+        .file(
+            "Cargo.lock",
+            r#"
+[[package]]
+name = "bar"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
+[[package]]
+name = "foo"
+version = "0.1.0"
+dependencies = [
+ "bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+"#,
+        )
+        .build();
+
+    p.cargo("install --path .").run();
 }
 
 #[test]

From 5f616eb18e979650beb50bfb955dc4213137a234 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Tue, 9 Apr 2019 19:00:40 -0700
Subject: [PATCH 04/12] Add warnings for yanked dependencies.

This only applies for `cargo package/publish` with the publish-lockfile feature,
or `cargo install --locked`.
---
 src/cargo/core/package.rs            |   6 +-
 src/cargo/core/source/mod.rs         |  12 +++
 src/cargo/core/source/source_id.rs   |  12 ++-
 src/cargo/ops/cargo_install.rs       |  31 +++++++-
 src/cargo/ops/cargo_package.rs       |  25 +++++-
 src/cargo/sources/directory.rs       |   4 +
 src/cargo/sources/git/source.rs      |   4 +
 src/cargo/sources/path.rs            |   4 +
 src/cargo/sources/registry/index.rs  |   9 +++
 src/cargo/sources/registry/mod.rs    |  10 ++-
 src/cargo/sources/registry/remote.rs |   2 +-
 src/cargo/sources/replaced.rs        |   4 +
 tests/testsuite/publish_lockfile.rs  | 110 ++++++++++++++++++++++++++-
 13 files changed, 225 insertions(+), 8 deletions(-)

diff --git a/src/cargo/core/package.rs b/src/cargo/core/package.rs
index 12c79f8e2df..389a5ab93ec 100644
--- a/src/cargo/core/package.rs
+++ b/src/cargo/core/package.rs
@@ -1,4 +1,4 @@
-use std::cell::{Cell, Ref, RefCell};
+use std::cell::{Cell, Ref, RefCell, RefMut};
 use std::cmp::Ordering;
 use std::collections::{HashMap, HashSet};
 use std::fmt;
@@ -454,6 +454,10 @@ impl<'cfg> PackageSet<'cfg> {
     pub fn sources(&self) -> Ref<'_, SourceMap<'cfg>> {
         self.sources.borrow()
     }
+
+    pub fn sources_mut(&self) -> RefMut<'_, SourceMap<'cfg>> {
+        self.sources.borrow_mut()
+    }
 }
 
 // When dynamically linked against libcurl, we want to ignore some failures
diff --git a/src/cargo/core/source/mod.rs b/src/cargo/core/source/mod.rs
index 7d9b36e3d6f..0a07b8dfb6e 100644
--- a/src/cargo/core/source/mod.rs
+++ b/src/cargo/core/source/mod.rs
@@ -96,6 +96,10 @@ pub trait Source {
     /// queries, even if they are yanked. Currently only applies to registry
     /// sources.
     fn add_to_yanked_whitelist(&mut self, pkgs: &[PackageId]);
+
+    /// Query if a package is yanked. Only registry sources can mark packages
+    /// as yanked. This ignores the yanked whitelist.
+    fn is_yanked(&mut self, _pkg: PackageId) -> CargoResult<bool>;
 }
 
 pub enum MaybePackage {
@@ -169,6 +173,10 @@ impl<'a, T: Source + ?Sized + 'a> Source for Box<T> {
     fn add_to_yanked_whitelist(&mut self, pkgs: &[PackageId]) {
         (**self).add_to_yanked_whitelist(pkgs);
     }
+
+    fn is_yanked(&mut self, pkg: PackageId) -> CargoResult<bool> {
+        (**self).is_yanked(pkg)
+    }
 }
 
 impl<'a, T: Source + ?Sized + 'a> Source for &'a mut T {
@@ -227,6 +235,10 @@ impl<'a, T: Source + ?Sized + 'a> Source for &'a mut T {
     fn add_to_yanked_whitelist(&mut self, pkgs: &[PackageId]) {
         (**self).add_to_yanked_whitelist(pkgs);
     }
+
+    fn is_yanked(&mut self, pkg: PackageId) -> CargoResult<bool> {
+        (**self).is_yanked(pkg)
+    }
 }
 
 /// A `HashMap` of `SourceId` -> `Box<Source>`.
diff --git a/src/cargo/core/source/source_id.rs b/src/cargo/core/source/source_id.rs
index 38231069b10..16b329336c1 100644
--- a/src/cargo/core/source/source_id.rs
+++ b/src/cargo/core/source/source_id.rs
@@ -228,7 +228,7 @@ impl SourceId {
         &self.inner.url
     }
 
-    pub fn display_registry(self) -> String {
+    pub fn display_index(self) -> String {
         if self.is_default_registry() {
             "crates.io index".to_string()
         } else {
@@ -236,6 +236,16 @@ impl SourceId {
         }
     }
 
+    pub fn display_registry_name(self) -> String {
+        if self.is_default_registry() {
+            "crates.io".to_string()
+        } else if let Some(name) = &self.inner.name {
+            name.clone()
+        } else {
+            url_display(self.url())
+        }
+    }
+
     /// Returns `true` if this source is from a filesystem path.
     pub fn is_path(self) -> bool {
         self.inner.kind == Kind::Path
diff --git a/src/cargo/ops/cargo_install.rs b/src/cargo/ops/cargo_install.rs
index 08c4693d34b..d891ea5c4cf 100644
--- a/src/cargo/ops/cargo_install.rs
+++ b/src/cargo/ops/cargo_install.rs
@@ -8,7 +8,8 @@ use tempfile::Builder as TempFileBuilder;
 
 use crate::core::compiler::Freshness;
 use crate::core::compiler::{DefaultExecutor, Executor};
-use crate::core::{Edition, PackageId, Source, SourceId, Workspace};
+use crate::core::resolver::Method;
+use crate::core::{Edition, PackageId, PackageIdSpec, Source, SourceId, Workspace};
 use crate::ops;
 use crate::ops::common_for_install_and_uninstall::*;
 use crate::sources::{GitSource, SourceConfigMap};
@@ -306,6 +307,8 @@ fn install_one(
 
     config.shell().status("Installing", pkg)?;
 
+    check_yanked_install(&ws)?;
+
     let exec: Arc<dyn Executor> = Arc::new(DefaultExecutor);
     let compile = ops::compile_ws(&ws, Some(source), opts, &exec).chain_err(|| {
         if let Some(td) = td_opt.take() {
@@ -481,6 +484,32 @@ fn install_one(
     }
 }
 
+fn check_yanked_install(ws: &Workspace<'_>) -> CargoResult<()> {
+    if ws.ignore_lock() || !ws.root().join("Cargo.lock").exists() {
+        return Ok(());
+    }
+    let specs = vec![PackageIdSpec::from_package_id(ws.current()?.package_id())];
+    // It would be best if `source` could be passed in here to avoid a
+    // duplicate "Updating", but since `source` is taken by value, then it
+    // wouldn't be available for `compile_ws`.
+    let (pkg_set, resolve) = ops::resolve_ws_with_method(ws, None, Method::Everything, &specs)?;
+    let mut sources = pkg_set.sources_mut();
+    for pkg_id in resolve.iter() {
+        if let Some(source) = sources.get_mut(pkg_id.source_id()) {
+            if source.is_yanked(pkg_id)? {
+                ws.config().shell().warn(format!(
+                    "package `{}` in Cargo.lock is yanked in registry `{}`, \
+                     consider running without --locked",
+                    pkg_id,
+                    pkg_id.source_id().display_registry_name()
+                ))?;
+            }
+        }
+    }
+
+    Ok(())
+}
+
 /// Display a list of installed binaries.
 pub fn install_list(dst: Option<&str>, config: &Config) -> CargoResult<()> {
     let root = resolve_root(dst, config)?;
diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index 35f73a495e5..01f2454914c 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -12,7 +12,9 @@ use tar::{Builder, EntryType, Header};
 
 use crate::core::compiler::{BuildConfig, CompileMode, DefaultExecutor, Executor};
 use crate::core::resolver::Method;
-use crate::core::{Package, PackageId, PackageIdSpec, Resolve, Source, SourceId, Workspace};
+use crate::core::{
+    Package, PackageId, PackageIdSpec, PackageSet, Resolve, Source, SourceId, Workspace,
+};
 use crate::ops;
 use crate::sources::PathSource;
 use crate::util::errors::{CargoResult, CargoResultExt};
@@ -425,12 +427,14 @@ fn tar(
         let new_pkg = src.root_package()?;
         let specs = vec![PackageIdSpec::from_package_id(new_pkg.package_id())];
         let tmp_ws = Workspace::ephemeral(new_pkg, config, None, true)?;
-        let new_resolve = ops::resolve_ws_with_method(&tmp_ws, None, Method::Everything, &specs)?.1;
+        let (pkg_set, new_resolve) =
+            ops::resolve_ws_with_method(&tmp_ws, None, Method::Everything, &specs)?;
         // resolve_ws_with_method won't save for ephemeral, do it manually.
         ops::write_pkg_lockfile(&tmp_ws, &new_resolve)?;
         if let Some(orig_resolve) = orig_resolve {
             compare_resolve(config, tmp_ws.current()?, &orig_resolve, &new_resolve)?;
         }
+        check_yanked(config, &pkg_set, &new_resolve)?;
 
         let toml = paths::read(&new_lock_path)?;
         let path = format!(
@@ -536,6 +540,23 @@ fn compare_resolve(
     Ok(())
 }
 
+fn check_yanked(config: &Config, pkg_set: &PackageSet<'_>, resolve: &Resolve) -> CargoResult<()> {
+    let mut sources = pkg_set.sources_mut();
+    for pkg_id in resolve.iter() {
+        if let Some(source) = sources.get_mut(pkg_id.source_id()) {
+            if source.is_yanked(pkg_id)? {
+                config.shell().warn(format!(
+                    "package `{}` in Cargo.lock is yanked in registry `{}`, \
+                     consider updating to a version that is not yanked",
+                    pkg_id,
+                    pkg_id.source_id().display_registry_name()
+                ))?;
+            }
+        }
+    }
+    Ok(())
+}
+
 fn run_verify(ws: &Workspace<'_>, tar: &FileLock, opts: &PackageOpts<'_>) -> CargoResult<()> {
     let config = ws.config();
     let pkg = ws.current()?;
diff --git a/src/cargo/sources/directory.rs b/src/cargo/sources/directory.rs
index a16302f7404..aab31383c72 100644
--- a/src/cargo/sources/directory.rs
+++ b/src/cargo/sources/directory.rs
@@ -214,4 +214,8 @@ impl<'cfg> Source for DirectorySource<'cfg> {
     }
 
     fn add_to_yanked_whitelist(&mut self, _pkgs: &[PackageId]) {}
+
+    fn is_yanked(&mut self, _pkg: PackageId) -> CargoResult<bool> {
+        Ok(false)
+    }
 }
diff --git a/src/cargo/sources/git/source.rs b/src/cargo/sources/git/source.rs
index ce1400c363b..da96f6d0ce7 100644
--- a/src/cargo/sources/git/source.rs
+++ b/src/cargo/sources/git/source.rs
@@ -239,6 +239,10 @@ impl<'cfg> Source for GitSource<'cfg> {
     }
 
     fn add_to_yanked_whitelist(&mut self, _pkgs: &[PackageId]) {}
+
+    fn is_yanked(&mut self, _pkg: PackageId) -> CargoResult<bool> {
+        Ok(false)
+    }
 }
 
 #[cfg(test)]
diff --git a/src/cargo/sources/path.rs b/src/cargo/sources/path.rs
index 41c4bfdb269..a425421b5ff 100644
--- a/src/cargo/sources/path.rs
+++ b/src/cargo/sources/path.rs
@@ -575,4 +575,8 @@ impl<'cfg> Source for PathSource<'cfg> {
     }
 
     fn add_to_yanked_whitelist(&mut self, _pkgs: &[PackageId]) {}
+
+    fn is_yanked(&mut self, _pkg: PackageId) -> CargoResult<bool> {
+        Ok(false)
+    }
 }
diff --git a/src/cargo/sources/registry/index.rs b/src/cargo/sources/registry/index.rs
index 5ea1fdd5aeb..66f95d1d397 100644
--- a/src/cargo/sources/registry/index.rs
+++ b/src/cargo/sources/registry/index.rs
@@ -336,4 +336,13 @@ impl<'cfg> RegistryIndex<'cfg> {
         }
         Ok(count)
     }
+
+    pub fn is_yanked(&mut self, pkg: PackageId, load: &mut dyn RegistryData) -> CargoResult<bool> {
+        let summaries = self.summaries(pkg.name().as_str(), load)?;
+        let found = summaries
+            .iter()
+            .filter(|&(summary, _yanked)| summary.version() == pkg.version())
+            .any(|(_summary, yanked)| *yanked);
+        Ok(found)
+    }
 }
diff --git a/src/cargo/sources/registry/mod.rs b/src/cargo/sources/registry/mod.rs
index eb606068294..a2c6d4f9ce7 100644
--- a/src/cargo/sources/registry/mod.rs
+++ b/src/cargo/sources/registry/mod.rs
@@ -525,6 +525,7 @@ impl<'cfg> RegistrySource<'cfg> {
         let path = self.ops.index_path();
         self.index =
             index::RegistryIndex::new(self.source_id, path, self.config, self.index_locked);
+        self.updated = true;
         Ok(())
     }
 
@@ -645,10 +646,17 @@ impl<'cfg> Source for RegistrySource<'cfg> {
     }
 
     fn describe(&self) -> String {
-        self.source_id.display_registry()
+        self.source_id.display_index()
     }
 
     fn add_to_yanked_whitelist(&mut self, pkgs: &[PackageId]) {
         self.yanked_whitelist.extend(pkgs);
     }
+
+    fn is_yanked(&mut self, pkg: PackageId) -> CargoResult<bool> {
+        if !self.updated {
+            self.do_update()?;
+        }
+        self.index.is_yanked(pkg, &mut *self.ops)
+    }
 }
diff --git a/src/cargo/sources/registry/remote.rs b/src/cargo/sources/registry/remote.rs
index dceb515c848..cb3e3ac7fb6 100644
--- a/src/cargo/sources/registry/remote.rs
+++ b/src/cargo/sources/registry/remote.rs
@@ -200,7 +200,7 @@ impl<'cfg> RegistryData for RemoteRegistry<'cfg> {
                 .open_rw(Path::new(INDEX_LOCK), self.config, "the registry index")?;
         self.config
             .shell()
-            .status("Updating", self.source_id.display_registry())?;
+            .status("Updating", self.source_id.display_index())?;
 
         // git fetch origin master
         let url = self.source_id.url();
diff --git a/src/cargo/sources/replaced.rs b/src/cargo/sources/replaced.rs
index 1a8b1885530..7f4a622fd84 100644
--- a/src/cargo/sources/replaced.rs
+++ b/src/cargo/sources/replaced.rs
@@ -121,4 +121,8 @@ impl<'cfg> Source for ReplacedSource<'cfg> {
             .collect::<Vec<_>>();
         self.inner.add_to_yanked_whitelist(&pkgs);
     }
+
+    fn is_yanked(&mut self, pkg: PackageId) -> CargoResult<bool> {
+        self.inner.is_yanked(pkg)
+    }
 }
diff --git a/tests/testsuite/publish_lockfile.rs b/tests/testsuite/publish_lockfile.rs
index de04876f4f2..083cd0a9b12 100644
--- a/tests/testsuite/publish_lockfile.rs
+++ b/tests/testsuite/publish_lockfile.rs
@@ -257,7 +257,12 @@ fn no_warn_workspace_extras() {
     p.cargo("package --no-verify")
         .cwd("a")
         .masquerade_as_nightly_cargo()
-        .with_stderr("[PACKAGING] a v0.1.0 ([..])")
+        .with_stderr(
+            "\
+[PACKAGING] a v0.1.0 ([..])
+[UPDATING] `[..]` index
+",
+        )
         .run();
 }
 
@@ -306,3 +311,106 @@ fn out_of_date_lock_warn() {
         )
         .run();
 }
+
+#[test]
+fn warn_package_with_yanked() {
+    Package::new("bar", "0.1.0").publish();
+    let p = project()
+        .file(
+            "Cargo.toml",
+            &pl_manifest(
+                "foo",
+                "0.0.1",
+                r#"
+                [dependencies]
+                bar = "0.1"
+                "#,
+            ),
+        )
+        .file("src/main.rs", "fn main() {}")
+        .build();
+    p.cargo("generate-lockfile")
+        .masquerade_as_nightly_cargo()
+        .run();
+    Package::new("bar", "0.1.0").yanked(true).publish();
+    // Make sure it sticks with the locked (yanked) version.
+    Package::new("bar", "0.1.1").publish();
+    p.cargo("package --no-verify")
+        .masquerade_as_nightly_cargo()
+        .with_stderr(
+            "\
+[PACKAGING] foo v0.0.1 ([..])
+[UPDATING] `[..]` index
+[WARNING] package `bar v0.1.0` in Cargo.lock is yanked in registry \
+    `crates.io`, consider updating to a version that is not yanked
+",
+        )
+        .run();
+}
+
+#[test]
+fn warn_install_with_yanked() {
+    Package::new("bar", "0.1.0").yanked(true).publish();
+    Package::new("bar", "0.1.1").publish();
+    Package::new("foo", "0.1.0")
+        .dep("bar", "0.1")
+        .file("src/main.rs", "fn main() {}")
+        .file(
+            "Cargo.lock",
+            r#"
+[[package]]
+name = "bar"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
+[[package]]
+name = "foo"
+version = "0.1.0"
+dependencies = [
+ "bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+            "#,
+        )
+        .publish();
+
+    // It is unfortunate that this displays UPDATING twice.
+    cargo_process("install --locked foo")
+        .with_stderr(
+            "\
+[UPDATING] `[..]` index
+[DOWNLOADING] crates ...
+[DOWNLOADED] foo v0.1.0 (registry `[..]`)
+[INSTALLING] foo v0.1.0
+[UPDATING] `[..]` index
+[WARNING] package `bar v0.1.0` in Cargo.lock is yanked in registry \
+    `crates.io`, consider running without --locked
+[DOWNLOADING] crates ...
+[DOWNLOADED] bar v0.1.0 (registry `[..]`)
+[COMPILING] bar v0.1.0
+[COMPILING] foo v0.1.0
+[FINISHED] release [optimized] target(s) in [..]
+[INSTALLING] [..]/.cargo/bin/foo[EXE]
+[INSTALLED] package `foo v0.1.0` (executable `foo[EXE]`)
+[WARNING] be sure to add [..]
+",
+        )
+        .run();
+
+    // Try again without --locked, make sure it uses 0.1.1 and does not warn.
+    cargo_process("install --force foo")
+        .with_stderr(
+            "\
+[UPDATING] `[..]` index
+[INSTALLING] foo v0.1.0
+[DOWNLOADING] crates ...
+[DOWNLOADED] bar v0.1.1 (registry `[..]`)
+[COMPILING] bar v0.1.1
+[COMPILING] foo v0.1.0
+[FINISHED] release [optimized] target(s) in [..]
+[REPLACING] [..]/.cargo/bin/foo[EXE]
+[REPLACED] package `foo v0.1.0` with `foo v0.1.0` (executable `foo[EXE]`)
+[WARNING] be sure to add [..]
+",
+        )
+        .run();
+}

From c03c85ad49cb424b4f33884a619462ae45e38312 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Tue, 9 Apr 2019 20:00:57 -0700
Subject: [PATCH 05/12] publish-lockfile: Change default to `true`.

The feature still needs to be enabled.
---
 src/cargo/util/toml/mod.rs          |  2 +-
 tests/testsuite/publish_lockfile.rs | 63 +++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/src/cargo/util/toml/mod.rs b/src/cargo/util/toml/mod.rs
index 676e882e15c..399e7ea6d2f 100644
--- a/src/cargo/util/toml/mod.rs
+++ b/src/cargo/util/toml/mod.rs
@@ -1035,7 +1035,7 @@ impl TomlManifest {
                 features.require(Feature::publish_lockfile())?;
                 b
             }
-            None => false,
+            None => features.is_enabled(Feature::publish_lockfile()),
         };
 
         if summary.features().contains_key("default-features") {
diff --git a/tests/testsuite/publish_lockfile.rs b/tests/testsuite/publish_lockfile.rs
index 083cd0a9b12..d0bf5dc0f0c 100644
--- a/tests/testsuite/publish_lockfile.rs
+++ b/tests/testsuite/publish_lockfile.rs
@@ -414,3 +414,66 @@ dependencies = [
         )
         .run();
 }
+
+#[test]
+fn publish_lockfile_default() {
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            cargo-features = ["publish-lockfile"]
+            [package]
+            name = "foo"
+            version = "1.0.0"
+            authors = []
+            license = "MIT"
+            description = "foo"
+            documentation = "foo"
+            homepage = "foo"
+            repository = "foo"
+            "#,
+        )
+        .file("src/main.rs", "fn main() {}")
+        .build();
+
+    p.cargo("package -l")
+        .masquerade_as_nightly_cargo()
+        .with_stdout(
+            "\
+Cargo.lock
+Cargo.toml
+src/main.rs
+",
+        )
+        .run();
+
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            cargo-features = ["publish-lockfile"]
+            [package]
+            name = "foo"
+            version = "1.0.0"
+            authors = []
+            license = "MIT"
+            description = "foo"
+            documentation = "foo"
+            homepage = "foo"
+            repository = "foo"
+            publish-lockfile = false
+            "#,
+        )
+        .file("src/main.rs", "fn main() {}")
+        .build();
+
+    p.cargo("package -l")
+        .masquerade_as_nightly_cargo()
+        .with_stdout(
+            "\
+Cargo.toml
+src/main.rs
+",
+        )
+        .run();
+}

From eae89007a6d529d51f7474d642835f0273353557 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Sat, 13 Apr 2019 16:43:53 -0700
Subject: [PATCH 06/12] Make --locked required for `cargo install --path`, too.

---
 src/cargo/ops/cargo_install.rs |  9 +++------
 tests/testsuite/install.rs     | 12 ++++++++----
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/cargo/ops/cargo_install.rs b/src/cargo/ops/cargo_install.rs
index d891ea5c4cf..a9ee557a04f 100644
--- a/src/cargo/ops/cargo_install.rs
+++ b/src/cargo/ops/cargo_install.rs
@@ -215,18 +215,15 @@ fn install_one(
         Some(Filesystem::new(config.cwd().join("target-install")))
     };
 
-    let ws = match overidden_target_dir {
-        Some(dir) => {
-            let mut ws = Workspace::ephemeral(pkg, config, Some(dir), false)?;
-            ws.set_ignore_lock(config.lock_update_allowed());
-            ws
-        }
+    let mut ws = match overidden_target_dir {
+        Some(dir) => Workspace::ephemeral(pkg, config, Some(dir), false)?,
         None => {
             let mut ws = Workspace::new(pkg.manifest_path(), config)?;
             ws.set_require_optional_deps(false);
             ws
         }
     };
+    ws.set_ignore_lock(config.lock_update_allowed());
     let pkg = ws.current()?;
 
     if from_cwd {
diff --git a/tests/testsuite/install.rs b/tests/testsuite/install.rs
index ada9f3f5c5a..e3fb49d1224 100644
--- a/tests/testsuite/install.rs
+++ b/tests/testsuite/install.rs
@@ -1190,8 +1190,7 @@ fn custom_target_dir_for_git_source() {
 
 #[test]
 fn install_respects_lock_file() {
-    // `cargo install` now requires --locked to use a Cargo.lock for non
-    // --path installs.
+    // `cargo install` now requires --locked to use a Cargo.lock.
     Package::new("bar", "0.1.0").publish();
     Package::new("bar", "0.1.1")
         .file("src/lib.rs", "not rust")
@@ -1230,7 +1229,8 @@ dependencies = [
 
 #[test]
 fn install_path_respects_lock_file() {
-    // For --path installs, always use local Cargo.lock.
+    // --path version of install_path_respects_lock_file, --locked is required
+    // to use Cargo.lock.
     Package::new("bar", "0.1.0").publish();
     Package::new("bar", "0.1.1")
         .file("src/lib.rs", "not rust")
@@ -1266,7 +1266,11 @@ dependencies = [
         )
         .build();
 
-    p.cargo("install --path .").run();
+    p.cargo("install --path .")
+        .with_stderr_contains("[..]not rust[..]")
+        .with_status(101)
+        .run();
+    p.cargo("install --path . --locked").run();
 }
 
 #[test]

From 6eb55abe2c28c4d7fda334e782215c06a1e59e4c Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Sat, 13 Apr 2019 17:33:42 -0700
Subject: [PATCH 07/12] cargo package: Change lock file updates from warning to
 requiring -v.

---
 src/cargo/ops/cargo_package.rs      | 11 +++++++----
 tests/testsuite/publish_lockfile.rs | 18 +++++++++++-------
 tests/testsuite/support/mod.rs      |  1 +
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index 01f2454914c..6369b0b639f 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -9,11 +9,12 @@ use flate2::{Compression, GzBuilder};
 use log::debug;
 use serde_json::{self, json};
 use tar::{Builder, EntryType, Header};
+use termcolor::Color;
 
 use crate::core::compiler::{BuildConfig, CompileMode, DefaultExecutor, Executor};
 use crate::core::resolver::Method;
 use crate::core::{
-    Package, PackageId, PackageIdSpec, PackageSet, Resolve, Source, SourceId, Workspace,
+    Package, PackageId, PackageIdSpec, PackageSet, Resolve, Source, SourceId, Verbosity, Workspace,
 };
 use crate::ops;
 use crate::sources::PathSource;
@@ -465,6 +466,9 @@ fn compare_resolve(
     orig_resolve: &Resolve,
     new_resolve: &Resolve,
 ) -> CargoResult<()> {
+    if config.shell().verbosity() != Verbosity::Verbose {
+        return Ok(());
+    }
     let new_set: BTreeSet<PackageId> = new_resolve.iter().collect();
     let orig_set: BTreeSet<PackageId> = orig_resolve.iter().collect();
     let added = new_set.difference(&orig_set);
@@ -533,9 +537,8 @@ fn compare_resolve(
                 )
             }
         };
-        config
-            .shell()
-            .warn(format!("package `{}` added to Cargo.lock{}", pkg_id, extra))?;
+        let msg = format!("package `{}` added to Cargo.lock{}", pkg_id, extra);
+        config.shell().status_with_color("Note", msg, Color::Cyan)?;
     }
     Ok(())
 }
diff --git a/tests/testsuite/publish_lockfile.rs b/tests/testsuite/publish_lockfile.rs
index d0bf5dc0f0c..db49fc33a47 100644
--- a/tests/testsuite/publish_lockfile.rs
+++ b/tests/testsuite/publish_lockfile.rs
@@ -139,7 +139,7 @@ fn lock_file_and_workspace() {
 }
 
 #[test]
-fn warn_resolve_changes() {
+fn note_resolve_changes() {
     // `multi` has multiple sources (path and registry).
     Package::new("mutli", "0.1.0").publish();
     // `updated` is always from registry, but should not change.
@@ -178,14 +178,16 @@ fn warn_resolve_changes() {
     // Make sure this does not change or warn.
     Package::new("updated", "1.0.1").publish();
 
-    p.cargo("package --no-verify")
+    p.cargo("package --no-verify -v --allow-dirty")
         .masquerade_as_nightly_cargo()
         .with_stderr_unordered(
             "\
 [PACKAGING] foo v0.0.1 ([..])
+[ARCHIVING] Cargo.toml
+[ARCHIVING] src/main.rs
 [UPDATING] `[..]` index
-[WARNING] package `mutli v0.1.0` added to Cargo.lock, was originally sourced from `[..]/foo/mutli`
-[WARNING] package `patched v1.0.0` added to Cargo.lock, was originally sourced from `[..]/foo/patched`
+[NOTE] package `mutli v0.1.0` added to Cargo.lock, was originally sourced from `[..]/foo/mutli`
+[NOTE] package `patched v1.0.0` added to Cargo.lock, was originally sourced from `[..]/foo/patched`
 ",
         )
         .run();
@@ -267,7 +269,7 @@ fn no_warn_workspace_extras() {
 }
 
 #[test]
-fn out_of_date_lock_warn() {
+fn out_of_date_lock_note() {
     // Dependency is force-changed from an out-of-date Cargo.lock.
     Package::new("dep", "1.0.0").publish();
     Package::new("dep", "2.0.0").publish();
@@ -300,13 +302,15 @@ fn out_of_date_lock_warn() {
             "#,
         ),
     );
-    p.cargo("package --no-verify")
+    p.cargo("package --no-verify -v --allow-dirty")
         .masquerade_as_nightly_cargo()
         .with_stderr(
             "\
 [PACKAGING] foo v0.0.1 ([..])
+[ARCHIVING] Cargo.toml
+[ARCHIVING] src/main.rs
 [UPDATING] `[..]` index
-[WARNING] package `dep v2.0.0` added to Cargo.lock, previous version was `1.0.0`
+[NOTE] package `dep v2.0.0` added to Cargo.lock, previous version was `1.0.0`
 ",
         )
         .run();
diff --git a/tests/testsuite/support/mod.rs b/tests/testsuite/support/mod.rs
index 36c146a049d..c8e8428ab3d 100644
--- a/tests/testsuite/support/mod.rs
+++ b/tests/testsuite/support/mod.rs
@@ -1620,6 +1620,7 @@ fn substitute_macros(input: &str) -> String {
         ("[IGNORED]", "     Ignored"),
         ("[INSTALLED]", "   Installed"),
         ("[REPLACED]", "    Replaced"),
+        ("[NOTE]", "        Note"),
     ];
     let mut result = input.to_owned();
     for &(pat, subst) in &macros {

From 9328b12b3589522905a337de16cb9914eeb84383 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Sun, 14 Apr 2019 10:57:06 -0700
Subject: [PATCH 08/12] cargo publish: Revert back to extracting tar file.

This constructs the new Cargo.lock in memory instead of writing it directly
to disk. The in-memory copy is added to the tar file directly.
---
 src/cargo/ops/cargo_package.rs | 92 ++++++++++++++++++----------------
 src/cargo/ops/lockfile.rs      | 87 +++++++++++++++++++-------------
 src/cargo/ops/mod.rs           |  2 +-
 src/cargo/util/toml/mod.rs     |  2 +-
 4 files changed, 101 insertions(+), 82 deletions(-)

diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index 6369b0b639f..9bac8ab2855 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -3,12 +3,14 @@ use std::fs::{self, File};
 use std::io::prelude::*;
 use std::io::SeekFrom;
 use std::path::{self, Path, PathBuf};
+use std::rc::Rc;
 use std::sync::Arc;
 
+use flate2::read::GzDecoder;
 use flate2::{Compression, GzBuilder};
 use log::debug;
 use serde_json::{self, json};
-use tar::{Builder, EntryType, Header};
+use tar::{Archive, Builder, EntryType, Header};
 use termcolor::Color;
 
 use crate::core::compiler::{BuildConfig, CompileMode, DefaultExecutor, Executor};
@@ -20,6 +22,7 @@ use crate::ops;
 use crate::sources::PathSource;
 use crate::util::errors::{CargoResult, CargoResultExt};
 use crate::util::paths;
+use crate::util::toml::TomlManifest;
 use crate::util::{self, internal, Config, FileLock};
 
 pub struct PackageOpts<'cfg> {
@@ -102,7 +105,7 @@ pub fn package(ws: &Workspace<'_>, opts: &PackageOpts<'_>) -> CargoResult<Option
         .shell()
         .status("Packaging", pkg.package_id().to_string())?;
     dst.file().set_len(0)?;
-    tar(ws, &src_files, vcs_info.as_ref(), &dst, &filename)
+    tar(ws, &src_files, vcs_info.as_ref(), dst.file(), &filename)
         .chain_err(|| failure::format_err!("failed to prepare local package for uploading"))?;
     if opts.verify {
         dst.seek(SeekFrom::Start(0))?;
@@ -118,6 +121,34 @@ pub fn package(ws: &Workspace<'_>, opts: &PackageOpts<'_>) -> CargoResult<Option
     Ok(Some(dst))
 }
 
+/// Construct `Cargo.lock` for the package to be published.
+fn build_lock(ws: &Workspace<'_>) -> CargoResult<String> {
+    let config = ws.config();
+    let orig_resolve = ops::load_pkg_lockfile(ws)?;
+
+    // Convert Package -> TomlManifest -> Manifest -> Package
+    let orig_pkg = ws.current()?;
+    let toml_manifest = Rc::new(orig_pkg.manifest().original().prepare_for_publish(config)?);
+    let package_root = orig_pkg.root();
+    let source_id = orig_pkg.package_id().source_id();
+    let (manifest, _nested_paths) =
+        TomlManifest::to_real_manifest(&toml_manifest, source_id, package_root, config)?;
+    let new_pkg = Package::new(manifest, orig_pkg.manifest_path());
+
+    // Regenerate Cargo.lock using the old one as a guide.
+    let specs = vec![PackageIdSpec::from_package_id(new_pkg.package_id())];
+    let tmp_ws = Workspace::ephemeral(new_pkg, ws.config(), None, true)?;
+    let (pkg_set, new_resolve) =
+        ops::resolve_ws_with_method(&tmp_ws, None, Method::Everything, &specs)?;
+
+    if let Some(orig_resolve) = orig_resolve {
+        compare_resolve(config, tmp_ws.current()?, &orig_resolve, &new_resolve)?;
+    }
+    check_yanked(config, &pkg_set, &new_resolve)?;
+
+    ops::resolve_to_string(&tmp_ws, &new_resolve)
+}
+
 fn include_lockfile(pkg: &Package) -> bool {
     pkg.manifest().publish_lockfile() && pkg.targets().iter().any(|t| t.is_example() || t.is_bin())
 }
@@ -283,28 +314,21 @@ fn tar(
     ws: &Workspace<'_>,
     src_files: &[PathBuf],
     vcs_info: Option<&serde_json::Value>,
-    dst: &FileLock,
+    dst: &File,
     filename: &str,
 ) -> CargoResult<()> {
     // Prepare the encoder and its header.
     let filename = Path::new(filename);
     let encoder = GzBuilder::new()
         .filename(util::path2bytes(filename)?)
-        .write(dst.file(), Compression::best());
+        .write(dst, Compression::best());
 
     // Put all package files into a compressed archive.
     let mut ar = Builder::new(encoder);
     let pkg = ws.current()?;
     let config = ws.config();
     let root = pkg.root();
-    // While creating the tar file, also copy to the output directory.
-    let dest_copy_root = dst
-        .parent()
-        .join(format!("{}-{}", pkg.name(), pkg.version()));
-    if dest_copy_root.exists() {
-        paths::remove_dir_all(&dest_copy_root)?;
-    }
-    fs::create_dir_all(&dest_copy_root)?;
+
     for src_file in src_files {
         let relative = src_file.strip_prefix(root)?;
         check_filename(relative)?;
@@ -369,19 +393,11 @@ fn tar(
             ar.append(&header, toml.as_bytes()).chain_err(|| {
                 internal(format!("could not archive source file `{}`", relative_str))
             })?;
-            fs::write(dest_copy_root.join(relative), toml)?;
-            fs::copy(src_file, dest_copy_root.join("Cargo.toml.orig"))?;
         } else {
             header.set_cksum();
             ar.append(&header, &mut file).chain_err(|| {
                 internal(format!("could not archive source file `{}`", relative_str))
             })?;
-            let dest = dest_copy_root.join(relative);
-            let parent = dest.parent().unwrap();
-            if !parent.exists() {
-                fs::create_dir_all(parent)?;
-            }
-            fs::copy(src_file, dest)?;
         }
     }
 
@@ -415,29 +431,8 @@ fn tar(
     }
 
     if include_lockfile(pkg) {
-        let orig_lock_path = ws.root().join("Cargo.lock");
-        let new_lock_path = dest_copy_root.join("Cargo.lock");
-        if orig_lock_path.exists() {
-            fs::copy(&orig_lock_path, &new_lock_path)?;
-        }
+        let new_lock = build_lock(&ws)?;
 
-        // Regenerate Cargo.lock using the old one as a guide.
-        let orig_resolve = ops::load_pkg_lockfile(ws)?;
-        let id = SourceId::for_path(&dest_copy_root)?;
-        let mut src = PathSource::new(&dest_copy_root, id, ws.config());
-        let new_pkg = src.root_package()?;
-        let specs = vec![PackageIdSpec::from_package_id(new_pkg.package_id())];
-        let tmp_ws = Workspace::ephemeral(new_pkg, config, None, true)?;
-        let (pkg_set, new_resolve) =
-            ops::resolve_ws_with_method(&tmp_ws, None, Method::Everything, &specs)?;
-        // resolve_ws_with_method won't save for ephemeral, do it manually.
-        ops::write_pkg_lockfile(&tmp_ws, &new_resolve)?;
-        if let Some(orig_resolve) = orig_resolve {
-            compare_resolve(config, tmp_ws.current()?, &orig_resolve, &new_resolve)?;
-        }
-        check_yanked(config, &pkg_set, &new_resolve)?;
-
-        let toml = paths::read(&new_lock_path)?;
         let path = format!(
             "{}-{}{}Cargo.lock",
             pkg.name(),
@@ -448,9 +443,9 @@ fn tar(
         header.set_path(&path)?;
         header.set_entry_type(EntryType::file());
         header.set_mode(0o644);
-        header.set_size(toml.len() as u64);
+        header.set_size(new_lock.len() as u64);
         header.set_cksum();
-        ar.append(&header, toml.as_bytes())
+        ar.append(&header, new_lock.as_bytes())
             .chain_err(|| internal("could not archive source file `Cargo.lock`"))?;
     }
 
@@ -566,9 +561,18 @@ fn run_verify(ws: &Workspace<'_>, tar: &FileLock, opts: &PackageOpts<'_>) -> Car
 
     config.shell().status("Verifying", pkg)?;
 
+    let f = GzDecoder::new(tar.file());
     let dst = tar
         .parent()
         .join(&format!("{}-{}", pkg.name(), pkg.version()));
+    if dst.exists() {
+        paths::remove_dir_all(&dst)?;
+    }
+    let mut archive = Archive::new(f);
+    // We don't need to set the Modified Time, as it's not relevant to verification
+    // and it errors on filesystems that don't support setting a modified timestamp
+    archive.set_preserve_mtime(false);
+    archive.unpack(dst.parent().unwrap())?;
 
     // Manufacture an ephemeral workspace to ensure that even if the top-level
     // package has a workspace we can still build our new crate.
diff --git a/src/cargo/ops/lockfile.rs b/src/cargo/ops/lockfile.rs
index 9ea51394686..71d956e9cec 100644
--- a/src/cargo/ops/lockfile.rs
+++ b/src/cargo/ops/lockfile.rs
@@ -29,7 +29,57 @@ pub fn load_pkg_lockfile(ws: &Workspace<'_>) -> CargoResult<Option<Resolve>> {
     Ok(resolve)
 }
 
+/// Generate a toml String of Cargo.lock from a Resolve.
+pub fn resolve_to_string(ws: &Workspace<'_>, resolve: &Resolve) -> CargoResult<String> {
+    let (_orig, out, _ws_root) = resolve_to_string_orig(ws, resolve)?;
+    Ok(out)
+}
+
 pub fn write_pkg_lockfile(ws: &Workspace<'_>, resolve: &Resolve) -> CargoResult<()> {
+    let (orig, out, ws_root) = resolve_to_string_orig(ws, resolve)?;
+
+    // If the lock file contents haven't changed so don't rewrite it. This is
+    // helpful on read-only filesystems.
+    if let Some(orig) = orig {
+        if are_equal_lockfiles(orig, &out, ws) {
+            return Ok(());
+        }
+    }
+
+    if !ws.config().lock_update_allowed() {
+        if ws.config().cli_unstable().offline {
+            failure::bail!("can't update in the offline mode");
+        }
+
+        let flag = if ws.config().network_allowed() {
+            "--locked"
+        } else {
+            "--frozen"
+        };
+        failure::bail!(
+            "the lock file {} needs to be updated but {} was passed to \
+             prevent this",
+            ws.root().to_path_buf().join("Cargo.lock").display(),
+            flag
+        );
+    }
+
+    // Ok, if that didn't work just write it out
+    ws_root
+        .open_rw("Cargo.lock", ws.config(), "Cargo.lock file")
+        .and_then(|mut f| {
+            f.file().set_len(0)?;
+            f.write_all(out.as_bytes())?;
+            Ok(())
+        })
+        .chain_err(|| format!("failed to write {}", ws.root().join("Cargo.lock").display()))?;
+    Ok(())
+}
+
+fn resolve_to_string_orig(
+    ws: &Workspace<'_>,
+    resolve: &Resolve,
+) -> CargoResult<(Option<String>, String, Filesystem)> {
     // Load the original lock file if it exists.
     let ws_root = Filesystem::new(ws.root().to_path_buf());
     let orig = ws_root.open_ro("Cargo.lock", ws.config(), "Cargo.lock file");
@@ -94,42 +144,7 @@ pub fn write_pkg_lockfile(ws: &Workspace<'_>, resolve: &Resolve) -> CargoResult<
         out.push_str(&meta.to_string());
     }
 
-    // If the lock file contents haven't changed so don't rewrite it. This is
-    // helpful on read-only filesystems.
-    if let Ok(orig) = orig {
-        if are_equal_lockfiles(orig, &out, ws) {
-            return Ok(());
-        }
-    }
-
-    if !ws.config().lock_update_allowed() {
-        if ws.config().cli_unstable().offline {
-            failure::bail!("can't update in the offline mode");
-        }
-
-        let flag = if ws.config().network_allowed() {
-            "--locked"
-        } else {
-            "--frozen"
-        };
-        failure::bail!(
-            "the lock file {} needs to be updated but {} was passed to \
-             prevent this",
-            ws.root().to_path_buf().join("Cargo.lock").display(),
-            flag
-        );
-    }
-
-    // Ok, if that didn't work just write it out
-    ws_root
-        .open_rw("Cargo.lock", ws.config(), "Cargo.lock file")
-        .and_then(|mut f| {
-            f.file().set_len(0)?;
-            f.write_all(out.as_bytes())?;
-            Ok(())
-        })
-        .chain_err(|| format!("failed to write {}", ws.root().join("Cargo.lock").display()))?;
-    Ok(())
+    Ok((orig.ok(), out, ws_root))
 }
 
 fn are_equal_lockfiles(mut orig: String, current: &str, ws: &Workspace<'_>) -> bool {
diff --git a/src/cargo/ops/mod.rs b/src/cargo/ops/mod.rs
index e60dcd7b85a..997ead71fa6 100644
--- a/src/cargo/ops/mod.rs
+++ b/src/cargo/ops/mod.rs
@@ -16,7 +16,7 @@ pub use self::cargo_run::run;
 pub use self::cargo_test::{run_benches, run_tests, TestOptions};
 pub use self::cargo_uninstall::uninstall;
 pub use self::fix::{fix, fix_maybe_exec_rustc, FixOptions};
-pub use self::lockfile::{load_pkg_lockfile, write_pkg_lockfile};
+pub use self::lockfile::{load_pkg_lockfile, resolve_to_string, write_pkg_lockfile};
 pub use self::registry::HttpTimeout;
 pub use self::registry::{configure_http_handle, http_handle_and_timeout};
 pub use self::registry::{http_handle, needs_custom_http_transport, registry_login, search};
diff --git a/src/cargo/util/toml/mod.rs b/src/cargo/util/toml/mod.rs
index 399e7ea6d2f..be2baca7ae3 100644
--- a/src/cargo/util/toml/mod.rs
+++ b/src/cargo/util/toml/mod.rs
@@ -822,7 +822,7 @@ impl TomlManifest {
         }
     }
 
-    fn to_real_manifest(
+    pub fn to_real_manifest(
         me: &Rc<TomlManifest>,
         source_id: SourceId,
         package_root: &Path,

From 753b03f652a3c026b883404cfe8a61ce9d767083 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Tue, 16 Apr 2019 09:06:59 -0700
Subject: [PATCH 09/12] Alter `cargo package` Cargo.lock modification note.

Try to make it clearer that it is not modifying the actual Cargo.lock file, but
the one that is being stored in the .crate file.
---
 src/cargo/ops/cargo_package.rs      | 2 +-
 tests/testsuite/publish_lockfile.rs | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index 9bac8ab2855..d54751536a9 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -532,7 +532,7 @@ fn compare_resolve(
                 )
             }
         };
-        let msg = format!("package `{}` added to Cargo.lock{}", pkg_id, extra);
+        let msg = format!("package `{}` added to the packaged Cargo.lock file{}", pkg_id, extra);
         config.shell().status_with_color("Note", msg, Color::Cyan)?;
     }
     Ok(())
diff --git a/tests/testsuite/publish_lockfile.rs b/tests/testsuite/publish_lockfile.rs
index db49fc33a47..ff29d6c7f88 100644
--- a/tests/testsuite/publish_lockfile.rs
+++ b/tests/testsuite/publish_lockfile.rs
@@ -186,8 +186,8 @@ fn note_resolve_changes() {
 [ARCHIVING] Cargo.toml
 [ARCHIVING] src/main.rs
 [UPDATING] `[..]` index
-[NOTE] package `mutli v0.1.0` added to Cargo.lock, was originally sourced from `[..]/foo/mutli`
-[NOTE] package `patched v1.0.0` added to Cargo.lock, was originally sourced from `[..]/foo/patched`
+[NOTE] package `mutli v0.1.0` added to the packaged Cargo.lock file, was originally sourced from `[..]/foo/mutli`
+[NOTE] package `patched v1.0.0` added to the packaged Cargo.lock file, was originally sourced from `[..]/foo/patched`
 ",
         )
         .run();
@@ -310,7 +310,7 @@ fn out_of_date_lock_note() {
 [ARCHIVING] Cargo.toml
 [ARCHIVING] src/main.rs
 [UPDATING] `[..]` index
-[NOTE] package `dep v2.0.0` added to Cargo.lock, previous version was `1.0.0`
+[NOTE] package `dep v2.0.0` added to the packaged Cargo.lock file, previous version was `1.0.0`
 ",
         )
         .run();

From 5553284d05abef4ce5eab325fb46a24366601e91 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Tue, 16 Apr 2019 11:03:20 -0700
Subject: [PATCH 10/12] Avoid multiple index updates.

This also restores the Cargo.lock update during packaging.
---
 src/cargo/ops/cargo_package.rs       |  2 ++
 src/cargo/sources/registry/remote.rs |  7 ++++
 src/cargo/util/config.rs             |  9 +++++
 tests/testsuite/publish_lockfile.rs  | 50 ----------------------------
 4 files changed, 18 insertions(+), 50 deletions(-)

diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index d54751536a9..f58f08a5665 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -41,6 +41,8 @@ pub struct PackageOpts<'cfg> {
 static VCS_INFO_FILE: &'static str = ".cargo_vcs_info.json";
 
 pub fn package(ws: &Workspace<'_>, opts: &PackageOpts<'_>) -> CargoResult<Option<FileLock>> {
+    // Make sure the Cargo.lock is up-to-date and valid.
+    ops::resolve_ws(ws)?;
     let pkg = ws.current()?;
     let config = ws.config();
 
diff --git a/src/cargo/sources/registry/remote.rs b/src/cargo/sources/registry/remote.rs
index cb3e3ac7fb6..9a1933c13bd 100644
--- a/src/cargo/sources/registry/remote.rs
+++ b/src/cargo/sources/registry/remote.rs
@@ -181,6 +181,12 @@ impl<'cfg> RegistryData for RemoteRegistry<'cfg> {
         if self.config.cli_unstable().no_index_update {
             return Ok(());
         }
+        // Make sure the index is only updated once per session since it is an
+        // expensive operation. This generally only happens when the resolver
+        // is run multiple times, such as during `cargo publish`.
+        if self.config.updated_sources().contains(&self.source_id) {
+            return Ok(());
+        }
 
         debug!("updating the index");
 
@@ -208,6 +214,7 @@ impl<'cfg> RegistryData for RemoteRegistry<'cfg> {
         let repo = self.repo.borrow_mut().unwrap();
         git::fetch(repo, url, refspec, self.config)
             .chain_err(|| format!("failed to fetch `{}`", url))?;
+        self.config.updated_sources().insert(self.source_id);
         Ok(())
     }
 
diff --git a/src/cargo/util/config.rs b/src/cargo/util/config.rs
index 8a177fad47f..148a5735e29 100644
--- a/src/cargo/util/config.rs
+++ b/src/cargo/util/config.rs
@@ -74,6 +74,8 @@ pub struct Config {
     env: HashMap<String, String>,
     /// Profiles loaded from config.
     profiles: LazyCell<ConfigProfiles>,
+    /// Tracks which sources have been updated to avoid multiple updates.
+    updated_sources: LazyCell<RefCell<HashSet<SourceId>>>,
 }
 
 impl Config {
@@ -129,6 +131,7 @@ impl Config {
             target_dir: None,
             env,
             profiles: LazyCell::new(),
+            updated_sources: LazyCell::new(),
         }
     }
 
@@ -271,6 +274,12 @@ impl Config {
         })
     }
 
+    pub fn updated_sources(&self) -> RefMut<'_, HashSet<SourceId>> {
+        self.updated_sources.borrow_with(|| {
+            RefCell::new(HashSet::new())
+        }).borrow_mut()
+    }
+
     pub fn values(&self) -> CargoResult<&HashMap<String, ConfigValue>> {
         self.values.try_borrow_with(|| self.load_values())
     }
diff --git a/tests/testsuite/publish_lockfile.rs b/tests/testsuite/publish_lockfile.rs
index ff29d6c7f88..060aacb52a6 100644
--- a/tests/testsuite/publish_lockfile.rs
+++ b/tests/testsuite/publish_lockfile.rs
@@ -268,54 +268,6 @@ fn no_warn_workspace_extras() {
         .run();
 }
 
-#[test]
-fn out_of_date_lock_note() {
-    // Dependency is force-changed from an out-of-date Cargo.lock.
-    Package::new("dep", "1.0.0").publish();
-    Package::new("dep", "2.0.0").publish();
-
-    let p = project()
-        .file(
-            "Cargo.toml",
-            &pl_manifest(
-                "foo",
-                "0.0.1",
-                r#"
-                [dependencies]
-                dep = "1.0"
-                "#,
-            ),
-        )
-        .file("src/main.rs", "fn main() {}")
-        .build();
-    p.cargo("generate-lockfile")
-        .masquerade_as_nightly_cargo()
-        .run();
-    p.change_file(
-        "Cargo.toml",
-        &pl_manifest(
-            "foo",
-            "0.0.1",
-            r#"
-            [dependencies]
-            dep = "2.0"
-            "#,
-        ),
-    );
-    p.cargo("package --no-verify -v --allow-dirty")
-        .masquerade_as_nightly_cargo()
-        .with_stderr(
-            "\
-[PACKAGING] foo v0.0.1 ([..])
-[ARCHIVING] Cargo.toml
-[ARCHIVING] src/main.rs
-[UPDATING] `[..]` index
-[NOTE] package `dep v2.0.0` added to the packaged Cargo.lock file, previous version was `1.0.0`
-",
-        )
-        .run();
-}
-
 #[test]
 fn warn_package_with_yanked() {
     Package::new("bar", "0.1.0").publish();
@@ -377,7 +329,6 @@ dependencies = [
         )
         .publish();
 
-    // It is unfortunate that this displays UPDATING twice.
     cargo_process("install --locked foo")
         .with_stderr(
             "\
@@ -385,7 +336,6 @@ dependencies = [
 [DOWNLOADING] crates ...
 [DOWNLOADED] foo v0.1.0 (registry `[..]`)
 [INSTALLING] foo v0.1.0
-[UPDATING] `[..]` index
 [WARNING] package `bar v0.1.0` in Cargo.lock is yanked in registry \
     `crates.io`, consider running without --locked
 [DOWNLOADING] crates ...

From 8a30158919622ebf5c2d2fba0eeff89196fd587d Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Tue, 16 Apr 2019 11:33:07 -0700
Subject: [PATCH 11/12] Remove `source` from compile_ws.

This was added for `cargo install` to avoid updating the source multiple times.
Now that multiple updates are guarded via `Config::updated_sources`, it is
no longer necessary.
---
 src/cargo/ops/cargo_compile.rs                    | 7 +++----
 src/cargo/ops/cargo_doc.rs                        | 1 -
 src/cargo/ops/cargo_install.rs                    | 6 +++---
 src/cargo/ops/cargo_output_metadata.rs            | 1 -
 src/cargo/ops/cargo_package.rs                    | 3 +--
 src/cargo/ops/cargo_uninstall.rs                  | 2 +-
 src/cargo/ops/common_for_install_and_uninstall.rs | 6 +++---
 src/cargo/ops/resolve.rs                          | 7 +------
 8 files changed, 12 insertions(+), 21 deletions(-)

diff --git a/src/cargo/ops/cargo_compile.rs b/src/cargo/ops/cargo_compile.rs
index 28a7d659937..dbc03005667 100644
--- a/src/cargo/ops/cargo_compile.rs
+++ b/src/cargo/ops/cargo_compile.rs
@@ -31,7 +31,7 @@ use crate::core::compiler::{
 use crate::core::compiler::{CompileMode, Kind, Unit};
 use crate::core::profiles::{Profiles, UnitFor};
 use crate::core::resolver::{Method, Resolve};
-use crate::core::{Package, Source, Target};
+use crate::core::{Package, Target};
 use crate::core::{PackageId, PackageIdSpec, TargetKind, Workspace};
 use crate::ops;
 use crate::util::config::Config;
@@ -247,12 +247,11 @@ pub fn compile_with_exec<'a>(
     exec: &Arc<dyn Executor>,
 ) -> CargoResult<Compilation<'a>> {
     ws.emit_warnings()?;
-    compile_ws(ws, None, options, exec)
+    compile_ws(ws, options, exec)
 }
 
 pub fn compile_ws<'a>(
     ws: &Workspace<'a>,
-    source: Option<Box<dyn Source + 'a>>,
     options: &CompileOptions<'a>,
     exec: &Arc<dyn Executor>,
 ) -> CargoResult<Compilation<'a>> {
@@ -305,7 +304,7 @@ pub fn compile_ws<'a>(
         all_features,
         uses_default_features: !no_default_features,
     };
-    let resolve = ops::resolve_ws_with_method(ws, source, method, &specs)?;
+    let resolve = ops::resolve_ws_with_method(ws, method, &specs)?;
     let (packages, resolve_with_overrides) = resolve;
 
     let to_build_ids = specs
diff --git a/src/cargo/ops/cargo_doc.rs b/src/cargo/ops/cargo_doc.rs
index 1c332b422db..bb77acf9a69 100644
--- a/src/cargo/ops/cargo_doc.rs
+++ b/src/cargo/ops/cargo_doc.rs
@@ -23,7 +23,6 @@ pub fn doc(ws: &Workspace<'_>, options: &DocOptions<'_>) -> CargoResult<()> {
     let specs = options.compile_opts.spec.to_package_id_specs(ws)?;
     let resolve = ops::resolve_ws_precisely(
         ws,
-        None,
         &options.compile_opts.features,
         options.compile_opts.all_features,
         options.compile_opts.no_default_features,
diff --git a/src/cargo/ops/cargo_install.rs b/src/cargo/ops/cargo_install.rs
index a9ee557a04f..c48354c7199 100644
--- a/src/cargo/ops/cargo_install.rs
+++ b/src/cargo/ops/cargo_install.rs
@@ -145,7 +145,7 @@ fn install_one(
 ) -> CargoResult<()> {
     let config = opts.config;
 
-    let (pkg, source) = if source_id.is_git() {
+    let pkg = if source_id.is_git() {
         select_pkg(
             GitSource::new(source_id, config)?,
             krate,
@@ -307,7 +307,7 @@ fn install_one(
     check_yanked_install(&ws)?;
 
     let exec: Arc<dyn Executor> = Arc::new(DefaultExecutor);
-    let compile = ops::compile_ws(&ws, Some(source), opts, &exec).chain_err(|| {
+    let compile = ops::compile_ws(&ws, opts, &exec).chain_err(|| {
         if let Some(td) = td_opt.take() {
             // preserve the temporary directory, so the user can inspect it
             td.into_path();
@@ -489,7 +489,7 @@ fn check_yanked_install(ws: &Workspace<'_>) -> CargoResult<()> {
     // It would be best if `source` could be passed in here to avoid a
     // duplicate "Updating", but since `source` is taken by value, then it
     // wouldn't be available for `compile_ws`.
-    let (pkg_set, resolve) = ops::resolve_ws_with_method(ws, None, Method::Everything, &specs)?;
+    let (pkg_set, resolve) = ops::resolve_ws_with_method(ws, Method::Everything, &specs)?;
     let mut sources = pkg_set.sources_mut();
     for pkg_id in resolve.iter() {
         if let Some(source) = sources.get_mut(pkg_id.source_id()) {
diff --git a/src/cargo/ops/cargo_output_metadata.rs b/src/cargo/ops/cargo_output_metadata.rs
index 957664cfda5..2cd93e46ee3 100644
--- a/src/cargo/ops/cargo_output_metadata.rs
+++ b/src/cargo/ops/cargo_output_metadata.rs
@@ -52,7 +52,6 @@ fn metadata_full(ws: &Workspace<'_>, opt: &OutputMetadataOptions) -> CargoResult
     let specs = Packages::All.to_package_id_specs(ws)?;
     let (package_set, resolve) = ops::resolve_ws_precisely(
         ws,
-        None,
         &opt.features,
         opt.all_features,
         opt.no_default_features,
diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index f58f08a5665..937afd735fb 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -141,7 +141,7 @@ fn build_lock(ws: &Workspace<'_>) -> CargoResult<String> {
     let specs = vec![PackageIdSpec::from_package_id(new_pkg.package_id())];
     let tmp_ws = Workspace::ephemeral(new_pkg, ws.config(), None, true)?;
     let (pkg_set, new_resolve) =
-        ops::resolve_ws_with_method(&tmp_ws, None, Method::Everything, &specs)?;
+        ops::resolve_ws_with_method(&tmp_ws, Method::Everything, &specs)?;
 
     if let Some(orig_resolve) = orig_resolve {
         compare_resolve(config, tmp_ws.current()?, &orig_resolve, &new_resolve)?;
@@ -587,7 +587,6 @@ fn run_verify(ws: &Workspace<'_>, tar: &FileLock, opts: &PackageOpts<'_>) -> Car
     let exec: Arc<dyn Executor> = Arc::new(DefaultExecutor);
     ops::compile_ws(
         &ws,
-        None,
         &ops::CompileOptions {
             config,
             build_config: BuildConfig::new(config, opts.jobs, &opts.target, CompileMode::Build)?,
diff --git a/src/cargo/ops/cargo_uninstall.rs b/src/cargo/ops/cargo_uninstall.rs
index 96c64e03e07..ee7ba2197b4 100644
--- a/src/cargo/ops/cargo_uninstall.rs
+++ b/src/cargo/ops/cargo_uninstall.rs
@@ -85,7 +85,7 @@ fn uninstall_cwd(root: &Filesystem, bins: &[String], config: &Config) -> CargoRe
     let tracker = InstallTracker::load(config, root)?;
     let source_id = SourceId::for_path(config.cwd())?;
     let src = path_source(source_id, config)?;
-    let (pkg, _source) = select_pkg(src, None, None, config, true, &mut |path| {
+    let pkg = select_pkg(src, None, None, config, true, &mut |path| {
         path.read_packages()
     })?;
     let pkgid = pkg.package_id();
diff --git a/src/cargo/ops/common_for_install_and_uninstall.rs b/src/cargo/ops/common_for_install_and_uninstall.rs
index b3652cd169a..9eba393ec37 100644
--- a/src/cargo/ops/common_for_install_and_uninstall.rs
+++ b/src/cargo/ops/common_for_install_and_uninstall.rs
@@ -560,7 +560,7 @@ pub fn select_pkg<'a, T>(
     config: &Config,
     needs_update: bool,
     list_all: &mut dyn FnMut(&mut T) -> CargoResult<Vec<Package>>,
-) -> CargoResult<(Package, Box<dyn Source + 'a>)>
+) -> CargoResult<Package>
 where
     T: Source + 'a,
 {
@@ -647,7 +647,7 @@ where
         match deps.iter().map(|p| p.package_id()).max() {
             Some(pkgid) => {
                 let pkg = Box::new(&mut source).download_now(pkgid, config)?;
-                Ok((pkg, Box::new(source)))
+                Ok(pkg)
             }
             None => {
                 let vers_info = vers
@@ -679,7 +679,7 @@ where
                 ),
             },
         };
-        return Ok((pkg.clone(), Box::new(source)));
+        return Ok(pkg.clone());
 
         fn multi_err(kind: &str, mut pkgs: Vec<&Package>) -> String {
             pkgs.sort_unstable_by_key(|a| a.name());
diff --git a/src/cargo/ops/resolve.rs b/src/cargo/ops/resolve.rs
index 1532fb31b91..352a9ad824f 100644
--- a/src/cargo/ops/resolve.rs
+++ b/src/cargo/ops/resolve.rs
@@ -32,7 +32,6 @@ pub fn resolve_ws<'a>(ws: &Workspace<'a>) -> CargoResult<(PackageSet<'a>, Resolv
 /// taking into account `paths` overrides and activated features.
 pub fn resolve_ws_precisely<'a>(
     ws: &Workspace<'a>,
-    source: Option<Box<dyn Source + 'a>>,
     features: &[String],
     all_features: bool,
     no_default_features: bool,
@@ -49,19 +48,15 @@ pub fn resolve_ws_precisely<'a>(
             uses_default_features: !no_default_features,
         }
     };
-    resolve_ws_with_method(ws, source, method, specs)
+    resolve_ws_with_method(ws, method, specs)
 }
 
 pub fn resolve_ws_with_method<'a>(
     ws: &Workspace<'a>,
-    source: Option<Box<dyn Source + 'a>>,
     method: Method<'_>,
     specs: &[PackageIdSpec],
 ) -> CargoResult<(PackageSet<'a>, Resolve)> {
     let mut registry = PackageRegistry::new(ws.config())?;
-    if let Some(source) = source {
-        registry.add_preloaded(source);
-    }
     let mut add_patches = true;
 
     let resolve = if ws.ignore_lock() {

From 7d202307cebba894a2c95e9a16b9f8e31b7501f2 Mon Sep 17 00:00:00 2001
From: Eric Huss <eric@huss.org>
Date: Wed, 17 Apr 2019 14:06:05 -0700
Subject: [PATCH 12/12] Include Cargo.lock in package checks.

This includes `Cargo.lock` in the git dirty check. It explicitly excludes
`Cargo.lock` as an untracked file, since it is not relevant for the dirty check;
it is only checked if it is committed to git.

This also adds `Cargo.lock` to the "did anything modify this" check during
verification. I don't see a reason to exclude it (particularly since ephemeral
workspaces do not save the lock file).

Also add "Archiving: Cargo.lock" to the verbose output.
---
 src/cargo/core/package.rs           |  6 ++++++
 src/cargo/ops/cargo_package.rs      | 28 ++++++++++++++++------------
 src/cargo/sources/path.rs           | 25 ++++++++++++++++---------
 tests/testsuite/publish_lockfile.rs | 18 ++++++++++++++++++
 4 files changed, 56 insertions(+), 21 deletions(-)

diff --git a/src/cargo/core/package.rs b/src/cargo/core/package.rs
index 389a5ab93ec..d5f7d89fafc 100644
--- a/src/cargo/core/package.rs
+++ b/src/cargo/core/package.rs
@@ -236,6 +236,12 @@ impl Package {
             toml
         ))
     }
+
+    /// Returns if package should include `Cargo.lock`.
+    pub fn include_lockfile(&self) -> bool {
+        self.manifest().publish_lockfile()
+            && self.targets().iter().any(|t| t.is_example() || t.is_bin())
+    }
 }
 
 impl fmt::Display for Package {
diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index 937afd735fb..edb7aca9cbd 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -79,7 +79,8 @@ pub fn package(ws: &Workspace<'_>, opts: &PackageOpts<'_>) -> CargoResult<Option
             .iter()
             .map(|file| file.strip_prefix(root).unwrap().to_path_buf())
             .collect();
-        if include_lockfile(pkg) {
+        if pkg.include_lockfile() && !list.contains(&PathBuf::from("Cargo.lock")) {
+            // A generated Cargo.lock will be included.
             list.push("Cargo.lock".into());
         }
         if vcs_info.is_some() {
@@ -140,8 +141,7 @@ fn build_lock(ws: &Workspace<'_>) -> CargoResult<String> {
     // Regenerate Cargo.lock using the old one as a guide.
     let specs = vec![PackageIdSpec::from_package_id(new_pkg.package_id())];
     let tmp_ws = Workspace::ephemeral(new_pkg, ws.config(), None, true)?;
-    let (pkg_set, new_resolve) =
-        ops::resolve_ws_with_method(&tmp_ws, Method::Everything, &specs)?;
+    let (pkg_set, new_resolve) = ops::resolve_ws_with_method(&tmp_ws, Method::Everything, &specs)?;
 
     if let Some(orig_resolve) = orig_resolve {
         compare_resolve(config, tmp_ws.current()?, &orig_resolve, &new_resolve)?;
@@ -151,10 +151,6 @@ fn build_lock(ws: &Workspace<'_>) -> CargoResult<String> {
     ops::resolve_to_string(&tmp_ws, &new_resolve)
 }
 
-fn include_lockfile(pkg: &Package) -> bool {
-    pkg.manifest().publish_lockfile() && pkg.targets().iter().any(|t| t.is_example() || t.is_bin())
-}
-
 // Checks that the package has some piece of metadata that a human can
 // use to tell what the package is about.
 fn check_metadata(pkg: &Package, config: &Config) -> CargoResult<()> {
@@ -337,6 +333,10 @@ fn tar(
         let relative_str = relative.to_str().ok_or_else(|| {
             failure::format_err!("non-utf8 path in source directory: {}", relative.display())
         })?;
+        if relative_str == "Cargo.lock" {
+            // This is added manually below.
+            continue;
+        }
         config
             .shell()
             .verbose(|shell| shell.status("Archiving", &relative_str))?;
@@ -432,9 +432,12 @@ fn tar(
             .chain_err(|| internal(format!("could not archive source file `{}`", fnd)))?;
     }
 
-    if include_lockfile(pkg) {
+    if pkg.include_lockfile() {
         let new_lock = build_lock(&ws)?;
 
+        config
+            .shell()
+            .verbose(|shell| shell.status("Archiving", "Cargo.lock"))?;
         let path = format!(
             "{}-{}{}Cargo.lock",
             pkg.name(),
@@ -534,7 +537,10 @@ fn compare_resolve(
                 )
             }
         };
-        let msg = format!("package `{}` added to the packaged Cargo.lock file{}", pkg_id, extra);
+        let msg = format!(
+            "package `{}` added to the packaged Cargo.lock file{}",
+            pkg_id, extra
+        );
         config.shell().status_with_color("Note", msg, Color::Cyan)?;
     }
     Ok(())
@@ -625,9 +631,7 @@ fn hash_all(path: &Path) -> CargoResult<HashMap<PathBuf, u64>> {
     fn wrap(path: &Path) -> CargoResult<HashMap<PathBuf, u64>> {
         let mut result = HashMap::new();
         let walker = walkdir::WalkDir::new(path).into_iter();
-        for entry in walker.filter_entry(|e| {
-            !(e.depth() == 1 && (e.file_name() == "target" || e.file_name() == "Cargo.lock"))
-        }) {
+        for entry in walker.filter_entry(|e| !(e.depth() == 1 && e.file_name() == "target")) {
             let entry = entry?;
             let file_type = entry.file_type();
             if file_type.is_file() {
diff --git a/src/cargo/sources/path.rs b/src/cargo/sources/path.rs
index a425421b5ff..700f02391ad 100644
--- a/src/cargo/sources/path.rs
+++ b/src/cargo/sources/path.rs
@@ -240,8 +240,13 @@ impl<'cfg> PathSource<'cfg> {
                 }
             }
 
-            // Update to `ignore_should_package` for Stage 2.
-            Ok(glob_should_package)
+            let should_include = match path.file_name().and_then(|s| s.to_str()) {
+                Some("Cargo.lock") => pkg.include_lockfile(),
+                // Update to `ignore_should_package` for Stage 2.
+                _ => glob_should_package,
+            };
+
+            Ok(should_include)
         };
 
         // Attempt Git-prepopulate only if no `include` (see rust-lang/cargo#4135).
@@ -332,7 +337,11 @@ impl<'cfg> PathSource<'cfg> {
         }
         let statuses = repo.statuses(Some(&mut opts))?;
         let untracked = statuses.iter().filter_map(|entry| match entry.status() {
-            git2::Status::WT_NEW => Some((join(root, entry.path_bytes()), None)),
+            // Don't include Cargo.lock if it is untracked. Packaging will
+            // generate a new one as needed.
+            git2::Status::WT_NEW if entry.path() != Some("Cargo.lock") => {
+                Some((join(root, entry.path_bytes()), None))
+            }
             _ => None,
         });
 
@@ -342,17 +351,15 @@ impl<'cfg> PathSource<'cfg> {
             let file_path = file_path?;
 
             // Filter out files blatantly outside this package. This is helped a
-            // bit obove via the `pathspec` function call, but we need to filter
+            // bit above via the `pathspec` function call, but we need to filter
             // the entries in the index as well.
             if !file_path.starts_with(pkg_path) {
                 continue;
             }
 
             match file_path.file_name().and_then(|s| s.to_str()) {
-                // Filter out `Cargo.lock` and `target` always; we don't want to
-                // package a lock file no one will ever read and we also avoid
-                // build artifacts.
-                Some("Cargo.lock") | Some("target") => continue,
+                // The `target` directory is never included.
+                Some("target") => continue,
 
                 // Keep track of all sub-packages found and also strip out all
                 // matches we've found so far. Note, though, that if we find
@@ -467,7 +474,7 @@ impl<'cfg> PathSource<'cfg> {
             if is_root {
                 // Skip Cargo artifacts.
                 match name {
-                    Some("target") | Some("Cargo.lock") => continue,
+                    Some("target") => continue,
                     _ => {}
                 }
             }
diff --git a/tests/testsuite/publish_lockfile.rs b/tests/testsuite/publish_lockfile.rs
index 060aacb52a6..75c7e8dcf29 100644
--- a/tests/testsuite/publish_lockfile.rs
+++ b/tests/testsuite/publish_lockfile.rs
@@ -87,6 +87,23 @@ fn package_lockfile_git_repo() {
 Cargo.lock
 Cargo.toml
 src/main.rs
+",
+        )
+        .run();
+    cargo_process("package -v")
+        .cwd(g.root())
+        .masquerade_as_nightly_cargo()
+        .with_stderr(
+            "\
+[PACKAGING] foo v0.0.1 ([..])
+[ARCHIVING] Cargo.toml
+[ARCHIVING] src/main.rs
+[ARCHIVING] .cargo_vcs_info.json
+[ARCHIVING] Cargo.lock
+[VERIFYING] foo v0.0.1 ([..])
+[COMPILING] foo v0.0.1 ([..])
+[RUNNING] `rustc --crate-name foo src/main.rs [..]
+[FINISHED] dev [unoptimized + debuginfo] target(s) in [..]
 ",
         )
         .run();
@@ -185,6 +202,7 @@ fn note_resolve_changes() {
 [PACKAGING] foo v0.0.1 ([..])
 [ARCHIVING] Cargo.toml
 [ARCHIVING] src/main.rs
+[ARCHIVING] Cargo.lock
 [UPDATING] `[..]` index
 [NOTE] package `mutli v0.1.0` added to the packaged Cargo.lock file, was originally sourced from `[..]/foo/mutli`
 [NOTE] package `patched v1.0.0` added to the packaged Cargo.lock file, was originally sourced from `[..]/foo/patched`