Publish lockfile for binary crates #5654
Comments
matklad
added
the
C-tracking-issue
|
Any ETA on this, or anything I could do to help? |
|
Continuing from #6556 (comment):
Why shouldn't it be published? Why would an installer not want to use it? |
|
One reason would be if there were security issues with the any of the versions pinned in the lock file, even if those crates were yanked and semver compatible releases made the lock file would still cause the old versions to be used until the binary crate released a new patch version with an updated lock file. |
My only thought is that using the latest versions will bring in the latest and greatest fixes. But maybe the frequency of " This bit me recently where |
|
I guess we could dual |
|
Btw, there's more detail in the chat in #5093. |
|
I should say I'm for having this feature working, I have encountered the same failure in a binary crate I manage as well. I think having |
|
On January 17, 2019 10:27:49 AM EST, Dale Wijnand ***@***.***> wrote:
Continuing from
#6556 (comment):
> I think it would be good to start looking at fixing any known issues
and moving towards stabilizing that. Although if it is optional, I'm
not sure if most people will use it, so it may not help here. I wonder
if it was considered if it should always be published, and let the
installer decide whether or not to use it?
Why _shouldn't_ it be published? Why would an installer _not_ want to
use it?
…--
Best,
polyzen
|
|
@polyzen that's related to libraries, this issue is only about installing binaries (a crate can contain both a library and a binary, but my expectation is that even if it contains a lockfile that will be ignored when used as a library). |
|
I was responding to @dwijnand's original question, but (on FastHub) it doesn't seem like his message got quoted. |
|
For some reason before finding this issue, I thought including the lock file was now default (and therefore stabilized) for all bin crates publishing. Its awkward that this is nightly only, as enabling it would normally interfere with CI (using rust versions other than nightly). However I'm already publishing some crates via a dedicated, publishing-specific git branch, so I can disable CI (or only CI on nightly) in that branch and still use it. Yah! @matklad's top Summary has a minor typo: cargo-features = ["publish-lockfile"]`
- [project]
+ [package]
publish-lockfile = trueI do agree with @Nemo157, that minimally, Thanks! |
Thanks, but that link's about version control, though, while this issue is about publishing crates. |
Agreed, it's a shame that one cannot opt-into cargo unstable features on stable. |
Crates used to publish all files checked into version control, including lockfiles. Due to the issue with libraries, people would exclude their libraries' lockfiles from their repos. Eventually lockfiles were filtered out from crates so people wouldn't have to do that. Now we have |
|
Actually, if crates.io security advisories were implemented, along the lines of: https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017 ..then this would probably cover the security concern as well, and in a more general and complete way. cc: @tarcieri |
|
This seems related/relevant: including Cargo.lock in binary artifacts (cc @Shnatsel) One of the goals of the above is definitely to allow RustSec audibility of compiled Rust artifacts, and it seems like that might be useful for solving this particular problem as well. |
As per tracking issue rust-lang/cargo#5654, this is currently a nightly-only feature and would fail CI or user which is not using a nightly-channel rust+cargo.
|
In setting up to try and use this feature (above referencing commit), I note that: cargo-features = ["publish-lockfile"]...is retained in (re-generated) Cargo.toml that is included in the package. In testing a local install at least, I get the following error: % cargo +1.31.0 install --path ./barc-cli
error: `/home/david/src/body-image/barc-cli` is not a crate root; specify a crate to install from crates.io, or use --path or --git to specify an alternate source
Caused by:
failed to parse manifest at `/home/david/src/body-image/barc-cli/Cargo.toml`
Caused by:
the cargo feature `publish-lockfile` requires a nightly version of Cargo, but this is the `stable` channelThe first error line is confusing or perhaps a different issue, but I think I understand the "Caused by" part. Before I go through the trouble of publishing a potentially broken patch release of barc-cli, could anyone confirm/deny if the same error will occur when attempting to install such a published crate on a stable-channel rust via crates.io? If this is the case, was it intentional that the feature is limited to publishing crates (using a nightly), that can only be consumed by a nightly rust? I find that surprisingly narrow of a target. It would be helpful to clarify that, here, ether way. |
|
Well, if its not ok to publish via nighty cargo a crate with MSRV to some stable version, then that seems like a much bigger problem than (lack of) this feature! Isn't that how many or most crates are published? The tendency to develop on nightly, CI and publish for nightly+stable+MSRV? |
|
Yeah, I think we do this by making cargo forward-compatible first, let it ride the trains to stable, then make the change to master/nightly cargo. For example what we're doing in #6180. |
Better error message for bad manifest with `cargo install`. The old code assumed that any error loading a manifest meant that the manifest didn't exist, but there are many other reasons it may fail. Add a few helpful messages for some common cases. First noticed at #5654 (comment)
|
We discussed this today in the Cargo meeting. We do think it is good to stabilise the core concept soon, we want to change a few aspects of the UX:
|
|
I would strongly oppose this because this makes propagating security updates to the ecosystem effectively impossible, at least until a first-class mechanism for security updates is in place. Right now the user is not notified about security updates, but at least |
|
Right now and without this feature, some users (myself included) are opting to use a specific/controlled Cargo.lock, by simply committing and deploying a project's Cargo.lock with the source, building the application/service on the target (or an intermediary) host/container using that lock file, then running it. This makes good sense for repeatable deployment of non-public applications, which we must assume are the vast majority. I think rust-lang/docs.rs is one prominent, public example of this strategy, though. There are likely others. It seems to me that any security concerns should put that in perspective, and any security efforts would be much better spent on doing the thing of most obvious utility: Any Said another way: Security and stabilizing this feature isn't an either/or situation, particularly if actually using the Cargo.lock is stabilized here as a non-default option. |
|
@nrc:
What does that mean in this context? Would cargo, for example, refuse publication if a lock dependency has been yanked (already, at that time)? Security wise I still think the above described warnings are both sufficient and more broadly useful. Users should hopefully see such warnings sooner in there process. But it would make sense to fully re-run such checks at publication time. |
|
Fully agree @dekellum! There are plenty of vulnerability scanning and auditing tools to deal with vulnerable dependencies (e.g., container layers, Linux distro packages, malware patterns within executables, and even open source components). @Shnatsel, see https://github.com/RustSec/cargo-audit. |
|
This is a proposal to stabilize the publish-lockfile feature (in a limited sense). @rfcbot fcp merge Stabilization Target: 1.37 — Release date August 15th 2019 What is being stabilizedCargo will be changed to always include This has no immediate impact on users. NOTE: The Stabilization will also include documentation updates to make note of this change, and calling out the use of The primary motivation for this feature is to allow More details
|
|
Team member @ehuss has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
rfcbot
added
proposed-final-comment-period
Can |
No. IIRC, that applies to the verify-step only. In the cases where the lock file changes, using the original would either be broken, or just contain extra entries that are ignored. |
rfcbot
added
final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
Stabilize publish-lockfile. This stabilizes the publish-lockfile feature. Specifically: - Makes `Cargo.lock` included by default for packages with executables. - Deprecates the `publish-lockfile` manifest key. It is no longer used. Additional notes: - Fixed issue where if a `Cargo.lock` file didn't exist, `cargo package` would fail the VCS dirty check. - Changed it so that `cargo publish` or `cargo package` will now show manifest warnings. I believe this was an oversight. Closes #5654
rfcbot
added
finished-final-comment-period
Ensure we build xargo and cargo-make in a reproducible way to prevent bitrot. We now specify a version and ask for a locked build. My understanding is that --locked will use the lockfile packaged by the crate, see rust-lang/cargo#5654.
Implementation PR: #5093
Summary:
For binary crate, add
to Cargo.toml.
cargo installwill then use the lockfile of binary crates.Steps:
Feature ready for stabilization
Stabilization TODO:
move docs from https://github.com/rust-lang/cargo/blob/5845464cf92a348f95dc6b43133c017c37fcb684/src/doc/src/reference/unstable.md#publish-lockfile to appropriate location.
remove feature gate
The text was updated successfully, but these errors were encountered: