[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #22905 [Core Tor/Tor]: Cargo.lock and Cargo.toml specify incompatible dependencies for libc
#22905: Cargo.lock and Cargo.toml specify incompatible dependencies for libc
-----------------------------+--------------------------
Reporter: isis | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: rust, tor-build | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: SponsorZ
-----------------------------+--------------------------
Comment (by alexcrichton):
Hello! I figure I may be able to help clarify a bit here, although let me
know if anything doens't make sense.
> We committed src/rust/Cargo.lock which is a bit strange since it's
normally not recommended, and especially not for library crates like ours
Perhaps! It sort of depends on the goal here. It's true that most pure
libraries tend to not commit Cargo.lock, but that's actually because cargo
will ignore the Cargo.lock in dependencies, it'll only use the
"application's" Cargo.lock. That's why projects like Servo and rustc
itself will commit Cargo.lock. The repositories contain Cargo.lock but
they also contain a bunch of libraries.
In that sense it sort of depends on what the repository layout looks like
here. If this is a library right next to an application you'd probably
want to commit Cargo.lock, but if it's just a repo with a library then
yeah I'd recommend changing `"*"` to `"0.2.24"` like you've got listed.
There's some other documentation online (http://doc.crates.io/faq.html
#why-do-binaries-have-cargolock-in-version-control-but-not-libraries) as
well, but the cargo docs aren't always the most helpful :(
In any case though I'd probably recommend avoiding `"*"` dependencies. If
you use more targeted dependencies (like `"0.2.24"` which stands for
"semver compatible with 0.2.24" which is actually `>=0.2.24, < 0.3`) then
you can typically use `cargo update` to safely update dependencies without
worrying about actually breaking your code. This'll help to easily pick up
bug fixes and such in libraries without accidentally introducing breakage
sometimes.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22905#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs