-
-
Notifications
You must be signed in to change notification settings - Fork 12.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --locked flag to Rust formulae with a Cargo.lock file #46025
Comments
On to questions and comments. When updating these formulae, if there isn't a new version available to bump the version at the same time, should we bump the revision? That is to say, if we want the bottles to be rebuilt (using the I saw that the Per the previous discussion (in the aforementioned PR), it may be necessary to create an audit for the In general, if anyone has any additional comments/guidelines on how this should be tackled, please do let me know. |
--locked
flag to Rust formulae with a Cargo.lock
file
No. As the formulas are currently working, we don't want to force the new binaries on all users, so no revision bump. |
Out of curiosity, are new bottles published after a formula modification without a revision bump? That is, if a user newly installs a formula after the Besides the demonstrated issue with broken builds over time, my other concern was that without the I'll respect this decision regardless but I felt I would be remiss not to clarify this further. |
This is possible; you can tell because the formulae will have |
Bottles are systematically rebuilt as part of testing a pull request. Whether the new bottles are published depends on the maintainer's choice when merging, whether they decided to pull the bottles as well during the merge… we almost always do. |
Besides |
Thanks to everyone involved! |
The related PR that brought attention to this issue (#45839) is now merged and less visible, so I wanted to create an issue to continue any discussion around the
--locked
flag, track progress on related formulae updates, and to have something that people can see and reference.The general idea here is that Rust formulae typically use
cargo install
to build/install but haven't been using the--locked
flag, so builds aren't reproducible and can eventually fail over time if a dependency adds a breaking change in a newer version. In contrast tocargo build
, by defaultcargo install
uses the latest dependencies in the build rather than the ones found inCargo.lock
. Adding the--locked
flag makescargo install
use the dependency versions in theCargo.lock
file, which is generally what you would expect when you're trying to build a binary of a specific version/revision of a project.I threw together a little script that goes through the formulae and identifies which have the
--locked
flag already and which still potentially need it. I've created lists of the formulae 1) with noCargo.lock
file, 2) with aCargo.lock
file now added to the repo but not yet in a release, 3) with aCargo.lock
file but no--locked
flag, and 4) with aCargo.lock
file and the--locked
flag (i.e., finished).Feel free to mention this issue in any related PR, as I'll be trying to keep this relatively up to date to track progress.
Does Not Have
Cargo.lock
Cargo.lock
Added but Not Yet in a ReleaseHas
Cargo.lock
and Needs--locked
Flag--locked
flag will be added in the next release after 0.9.1)Has
Cargo.lock
and--locked
FlagThe text was updated successfully, but these errors were encountered: