Implement the 'frontend' of public-private dependencies #6772
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @nrc (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
rust-highfive
added
the
S-waiting-on-review
|
Note that this PR requires rust-lang/rust#59335 to be merged for the tests to pass, since |
|
☔ The latest upstream changes (presumably #6759) made this pull request unmergeable. Please resolve the merge conflicts. |
Aaron1011
force-pushed
the
feature/final-pub-priv
branch
from
603a3e6
to
24ebfd4
Compare
Aaron1011
force-pushed
the
feature/final-pub-priv
branch
from
df28d39
to
39a36a6
Compare
|
@nrc: Now that rust-lang/rust#59335 has been merged, this PR is ready for review. |
| @@ -41,6 +44,21 @@ impl Resolve { | |||
| unused_patches: Vec<PackageId>, | |||
| ) -> Resolve { | |||
| let reverse_replacements = replacements.iter().map(|(&p, &r)| (r, p)).collect(); | |||
| let public_dependencies = graph.iter().map(|p| { | |||
| let public_deps = graph.edges(p).flat_map(|(dep_package, deps)| { | |||
| let id_opt: Option<PackageId> = deps.iter().find(|d| d.kind() == Kind::Normal).and_then(|d| { | |||
There was a problem hiding this comment.
Just to be sure I understand, this calculates the direct (not transitive) public dependencies for each package. Yes?
Why the the d.kind() == Kind::Normal?
There was a problem hiding this comment.
The other kinds are Development and Build, neither of which can ever be exposed as transitive dependencies.
There was a problem hiding this comment.
That makes sense. Should we have an error if you try a Cargo.toml that has a Development or Build dep with public set to true? Then add asserts in the set_public to make sure we never let it slip in?
| @@ -443,6 +444,14 @@ fn run_verify(ws: &Workspace<'_>, tar: &FileLock, opts: &PackageOpts<'_>) -> Car | |||
| let pkg_fingerprint = hash_all(&dst)?; | |||
| let ws = Workspace::ephemeral(new_pkg, config, None, true)?; | |||
|
|
|||
| let rustc_args = if pkg.manifest().features().require(Feature::public_dependency()).is_ok() { | |||
| // FIXME: Turn this on at some point in the future | |||
| //Some(vec!["-D exported_private_dependencies".to_string()]) | |||
There was a problem hiding this comment.
Sorry for my ignorance. I don't know what this will do or why it is off now. Can you elaborate?
There was a problem hiding this comment.
This turns all exported_private_dependencies warnings into hard errors when publishing. According to the RFC, 'cargo publish might change this warning into an error in its lint step'
I thought it was best to leave it off for now, so that we don't imemdiately break publishing for people who enable this feature.
|
☔ The latest upstream changes (presumably #6840) made this pull request unmergeable. Please resolve the merge conflicts. |
Aaron1011
force-pushed
the
feature/final-pub-priv
branch
from
39a36a6
to
343d72f
Compare
There was a problem hiding this comment.
This is looking great, thanks!
Can you add a section to the bottom of https://github.com/rust-lang/cargo/blob/master/src/doc/src/reference/unstable.md that briefly explains how to use the feature? Just explain how to add cargo-features and how to set public = true, and a link to the tracking issue (rust-lang/rust#44663).
Are you planning to add the public field to the publish code after rust-lang/crates.io#1685 is done in a separate PR?
I think maybe it needs to only issue warnings for library targets? Otherwise you'll get unwanted warnings for leaking in binaries, tests, etc. I think, maybe, just check unit.target.is_lib() to determine if --extern-private should be used?
I think the public field should be included in the fingerprint (which is used to detect if something should be recompiled). If you compile, find warnings, then edit Cargo.toml to add private=true, and then compile again, the second compile won't do anything because Cargo does not think anything has changed. I think this can be fixed by adding a public: bool field to DepFingerprint.
Unrelated to this PR: I think the lint message will need to provide more information to the user about what is wrong and how to fix it. Historically rustc has avoided talking about Cargo in its diagnostics, but I don't see a way to avoid it here. Can you follow up with someone on the compiler team who works on diagnostics (like estebank, or anyone really) to figure out better wording? I would think it would be something like adding a "help" to the diagnostic that says something like "if you are using Cargo, consider adding public = true to the dependency in Cargo.toml". I would think it should also have a brief explanation of why a private dependency is bad to have in a public interface, but I don't know how to word that succinctly. Clippy has links to explanations, but I don't think rustc ever does that. Unfortunately I'm not very familiar with writing compiler lints.
tests/testsuite/pub_priv.rs
Outdated
|
|
||
| #[test] | ||
| fn requires_feature() { | ||
|
|
There was a problem hiding this comment.
Some extra whitespace here. Can you run rustfmt on this file to fix this and a few other minor formatting things?
src/cargo/core/compiler/mod.rs
Outdated
|
|
||
| if current.pkg.manifest().features().require(Feature::public_dependency()).is_ok() { | ||
| if !bcx.is_public_dependency(current, dep) { | ||
| cmd.arg("--extern-private").arg(&v); |
There was a problem hiding this comment.
If I'm reading rust-lang/rust#59335 correctly, I think this should add either --extern OR --extern-private, not both?
There was a problem hiding this comment.
All external crates as passed via --extern. Private dependencies have an additional --extern-private flag (see https://github.com/rust-lang/rust/pull/59335/files#diff-5475738f2f1f16057af4f7ee93412ec4R3)
There was a problem hiding this comment.
I'm not sure I understand. Looking at this code it seems like it overrides whatever --extern* flags appeared previously. Why does it need to have both --extern and --extern-private if the first flag gets overridden/ignored? They both carry the entire package name and path, so I don't see how it carries more information to issue just --extern-private. If I run rustc manually with just --extern-private, it seems to work?
I'm concerned that the command line is exploding to extreme lengths. Windows has a limit of 32k (AFAIK), and with doubling the command line length, I see a few larger projects would be pushing 20-25k, which is getting close to that limit. And a 20k command-line does seem a bit extreme to me, just from a practicality standpoint.
There was a problem hiding this comment.
Originally, the plan was to pass --extern name=path and --extern-private name. However, during the course of implementing the Rustc end, we decided on --extern-private name=path`.
Now that I think about it, there's no particular reason for us to pass both --extern and --extern-private.
|
Maybe this is a question for @Eh2406, but when using renamed dependencies with this feature, I am getting a resolver error: My dependencies are: [dependencies]
priv_dep = "0.1.0"
priv_dep2 = {version="0.2.0", package="priv_dep"}This does not happen if the feature is turned off. |
|
@ehuss the rename thing is a known unresolved question, see discussion at #6129 (comment) |
|
Ah! Hopefully it won't be too difficult to fix. Also, I noticed that the diagnostic lint uses the original crate name with renamed dependencies (when there is only one rename). I'm wondering if that might be confusing. For example, if you have: [dependencies]
my_much_better_name = {version="0.1.0", package="priv_dep"}You get a message like: It's probably fine, just contemplating out-loud. |
Yes, I am. There was some discussion around what the exact index format should be (in regard to how it will interact with renamed dependencies).
I think it makes more sense to emit it unconditionally, at least for now. Binary crates can still 'export' types (to the rest of the crate) by marking them as |
|
@ehuss: I've made the changes you requested, and respoded to your questions. |
|
@ehuss: I've modified the PR to only pass |
|
☔ The latest upstream changes (presumably #6860) made this pull request unmergeable. Please resolve the merge conflicts. |
src/cargo/core/compiler/mod.rs
Outdated
| @@ -993,7 +1004,24 @@ fn build_deps_args<'a, 'cfg>( | |||
| v.push(cx.files().out_dir(dep)); | |||
| v.push(&path::MAIN_SEPARATOR.to_string()); | |||
| v.push(&output.path.file_name().unwrap()); | |||
| cmd.arg("--extern").arg(&v); | |||
|
|
|||
| let mut private = false; | |||
There was a problem hiding this comment.
Just from a style standpoint, I would avoid the flag here. Just have something like (pseudo-code):
if …feature enabled… && !bcx.is_public_dependency(…) {
cmd.arg("--extern-private");
*need_unstable_opts |= true;
} else {
cmd.arg("--extern");
}
|
Sorry about the delay. The travis issues were related to rustup, they should be fixed now. Can you add the restrictions noted in #6772 (comment)? I think it makes sense to reject After rebasing, addressing the minor style nit, and the restrictions, I think this should be ready to go. Thanks so much! |
This is part of rust-lang/rust#44663 This implements the 'frontend' portion of RFC 1977. Once PRs rust-lang/rust#59335 and rust-lang/crates.io#1685 are merged, it will be possible to test the full public-private dependency feature: marking a dependency a public, seeing exported_private_dependencies warnings from rustc, and seeing pub-dep-reachability errors from Cargo. Everything in this commit should be fully backwards-compatible - users who don't enable the 'public-dependency' cargo feature won't notice any changes. Note that this commit does *not* implement the remaining two features of the RFC: * Choosing smallest versions when 'cargo publish' is run * Turning exported_private_dependencies warnings into hard errors when 'cargo publish' is run The former is a major change to Cargo's behavior, and should be done in a separate PR with some kind of rollout plan. The latter is described by the RFC as being enabled at 'some point in the future'. This can be done via a follow-up PR.
Aaron1011
force-pushed
the
feature/final-pub-priv
branch
from
7147616
to
df4d209
Compare
|
@ehuss: Rebased and updated |
|
Nice! I can't think of anything else, so let's do it! Let us know if you need any help with the publishing side of things. @bors r+ |
|
📌 Commit f4aac94 has been approved by |
bors
added
S-waiting-on-bors
Implement the 'frontend' of public-private dependencies This is part of rust-lang/rust#44663 This implements the 'frontend' portion of [RFC 1977](https://github.com/rust-lang/rfcs/blob/master/text/1977-public-private-dependencies.md). Once PRs rust-lang/rust#59335 and rust-lang/crates.io#1685 are merged, it will be possible to test the full public-private dependency feature: marking a dependency a public, seeing exported_private_dependencies warnings from rustc, and seeing pub-dep-reachability errors from Cargo. Everything in this commit should be fully backwards-compatible - users who don't enable the 'public-dependency' cargo feature won't notice any changes. Note that this commit does *not* implement the remaining two features of the RFC: * Choosing smallest versions when 'cargo publish' is run * Turning exported_private_dependencies warnings into hard errors when 'cargo publish' is run The former is a major change to Cargo's behavior, and should be done in a separate PR with some kind of rollout plan. The latter is described by the RFC as being enabled at 'some point in the future'. This can be done via a follow-up PR.
|
☀️ Test successful - checks-travis, status-appveyor |
This is part of rust-lang/rust#44663
This implements the 'frontend' portion of RFC 1977. Once PRs rust-lang/rust#59335 and rust-lang/crates.io#1685 are merged,
it will be possible to test the full public-private dependency feature:
marking a dependency a public, seeing exported_private_dependencies
warnings from rustc, and seeing pub-dep-reachability errors from Cargo.
Everything in this commit should be fully backwards-compatible - users
who don't enable the 'public-dependency' cargo feature won't notice any
changes.
Note that this commit does not implement the remaining two features of
the RFC:
The former is a major change to Cargo's behavior, and should be done in a separate PR with some kind of rollout plan.
The latter is described by the RFC as being enabled at 'some point in the future'. This can be done via a follow-up PR.