[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #22905 [Core Tor/Tor]: Cargo.lock and Cargo.toml specify incompatible dependencies for libc



#22905: Cargo.lock and Cargo.toml specify incompatible dependencies for libc
-----------------------------+--------------------------
 Reporter:  isis             |          Owner:
     Type:  defect           |         Status:  new
 Priority:  Medium           |      Milestone:
Component:  Core Tor/Tor     |        Version:
 Severity:  Normal           |     Resolution:
 Keywords:  rust, tor-build  |  Actual Points:
Parent ID:                   |         Points:
 Reviewer:                   |        Sponsor:  SponsorZ
-----------------------------+--------------------------

Comment (by alexcrichton):

 Hello! I figure I may be able to help clarify a bit here, although let me
 know if anything doens't make sense.

 > We committed src/rust/Cargo.lock which is a bit strange since it's
 normally not recommended, and especially not for library crates like ours

 Perhaps! It sort of depends on the goal here. It's true that most pure
 libraries tend to not commit Cargo.lock, but that's actually because cargo
 will ignore the Cargo.lock in dependencies, it'll only use the
 "application's" Cargo.lock. That's why projects like Servo and rustc
 itself will commit Cargo.lock. The repositories contain Cargo.lock but
 they also contain a bunch of libraries.

 In that sense it sort of depends on what the repository layout looks like
 here. If this is a library right next to an application you'd probably
 want to commit Cargo.lock, but if it's just a repo with a library then
 yeah I'd recommend changing `"*"` to `"0.2.24"` like you've got listed.

 There's some other documentation online (http://doc.crates.io/faq.html
 #why-do-binaries-have-cargolock-in-version-control-but-not-libraries) as
 well, but the cargo docs aren't always the most helpful :(

 In any case though I'd probably recommend avoiding `"*"` dependencies. If
 you use more targeted dependencies (like `"0.2.24"` which stands for
 "semver compatible with 0.2.24" which is actually `>=0.2.24, < 0.3`) then
 you can typically use `cargo update` to safely update dependencies without
 worrying about actually breaking your code. This'll help to easily pick up
 bug fixes and such in libraries without accidentally introducing breakage
 sometimes.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22905#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs