Cannot patch underspecified git dependency

[glandium]

Problem

When you have a very large codebase with a lot of crates that you vendor (cough cough Firefox), you may want to avoid surprise updates from indirect dependencies using underspecified git dependencies (as in, a dependency on a crate using a git repo without a specific revision).

While you can patch the git dependency with a different repo with a specific revision, it doesn't appear to be possible to patch only adding the specific revision.

Steps

1. cargo new foo
2. Edit foo/Cargo.toml to add:

[dependencies.libc]
git = "https://github.com/rust-lang/libc"

3. cargo new bar
4. Edit bar/Cargo.toml to add:

[dependencies.foo]
path = "../foo"

[patch."https://github.com/rust-lang/libc".libc]
git = "https://github.com/rust-lang/libc"
rev = "4f11029a68040c90acf771976b019c1ef273a8cd"

5. cargo build
   This fails with

error: failed to resolve patches for `https://github.com/rust-lang/libc`

Caused by:
  patch for `libc` in `https://github.com/rust-lang/libc` points to the same source, but patches must point to different sources

Using

[patch."https://github.com/rust-lang/libc".libc]
git = "https://github.com/glandium/libc"
rev = "4f11029a68040c90acf771976b019c1ef273a8cd"

instead works.

Possible Solution(s)

I think when the source is the same, but comes with more information, or changed information, the patch should be allowed.
More information as the above example (there was no rev originally, one was added)
Changed information as in:
bar/Cargo.toml

[dependencies.libc]
git = "https://github.com/rust-lang/libc"
rev = "13d4a5da2eafd82d3ebb2acb729d8b8c9148fb1f"

foo/Cargo.toml

[patch."https://github.com/rust-lang/libc".libc]
git = "https://github.com/rust-lang/libc"
rev = "4f11029a68040c90acf771976b019c1ef273a8cd"

should be allowed. Or
bar/Cargo.toml

[dependencies.libc]
git = "https://github.com/rust-lang/libc"
tag = "2.0.65"

foo/Cargo.toml

[patch."https://github.com/rust-lang/libc".libc]
git = "https://github.com/rust-lang/libc"
rev = "4f11029a68040c90acf771976b019c1ef273a8cd"

Or a different branch, or whatever. That is, you shouldn't have to fork the repository to change the revision that is going to be used.

[PiDelport]

Related: #7497

[PiDelport]

I just ran into this issue too.

Our use case: we have a project using the Rust SGX forks of serde and serde-json, like this:

[dependencies]
serde = { git = "https://github.com/mesalock-linux/serde-sgx", tag = "sgx_1.1.3" }
serde_json = { git = "https://github.com/mesalock-linux/serde-json-sgx", tag = "sgx_1.1.3" }

However, serde-json-sgx references the serde-sgx repository without the tag (source):

[dependencies]
serde = { git = "https://github.com/mesalock-linux/serde-sgx" }

Both references resolve to the same git revision, but because the git tag reference differs, Cargo resolves and builds them as different crate versions, which causes hard-to-understand build failures due to our project referring to different instances of the serde traits than serde_json does.

I tried the following patch to override serde-json-sgx's dependency to match our project's, but it failed with the same "points to the same source" error message as above:

[patch."https://github.com/mesalock-linux/serde-sgx"]
serde = { git = "https://github.com/mesalock-linux/serde-sgx.git", tag = "sgx_1.1.3" }

For now, our workaround is to make sure that our project's reference to the serde-sgx repository matches that of serde-json-sgx exactly:

serde = { git = "https://github.com/mesalock-linux/serde-sgx" }
serde_json = { git = "https://github.com/mesalock-linux/serde-json-sgx", tag = "sgx_1.1.3" }

This fixes the issue, but it's fragile. It would be nice to be able to use a patch entry to override this more reliably.

[str4d]

This issue is either a duplicate of, or related to, #5478.

[epage]

Closing in favor of #5478. If there is a reason for us to re-evaluate this, let us know!