[tor-bugs] #22905 [Core Tor/Tor]: Cargo.lock and Cargo.toml specify incompatible dependencies for libc

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 13 05:01:52 UTC 2017 

#22905: Cargo.lock and Cargo.toml specify incompatible dependencies for libc
-----------------------------+--------------------------
 Reporter:  isis             |          Owner:
     Type:  defect           |         Status:  new
 Priority:  Medium           |      Milestone:
Component:  Core Tor/Tor     |        Version:
 Severity:  Normal           |     Resolution:
 Keywords:  rust, tor-build  |  Actual Points:
Parent ID:                   |         Points:
 Reviewer:                   |        Sponsor:  SponsorZ
-----------------------------+--------------------------

Comment (by alexcrichton):

 Hello! I figure I may be able to help clarify a bit here, although let me
 know if anything doens't make sense.

 > We committed src/rust/Cargo.lock which is a bit strange since it's
 normally not recommended, and especially not for library crates like ours

 Perhaps! It sort of depends on the goal here. It's true that most pure
 libraries tend to not commit Cargo.lock, but that's actually because cargo
 will ignore the Cargo.lock in dependencies, it'll only use the
 "application's" Cargo.lock. That's why projects like Servo and rustc
 itself will commit Cargo.lock. The repositories contain Cargo.lock but
 they also contain a bunch of libraries.

 In that sense it sort of depends on what the repository layout looks like
 here. If this is a library right next to an application you'd probably
 want to commit Cargo.lock, but if it's just a repo with a library then
 yeah I'd recommend changing `"*"` to `"0.2.24"` like you've got listed.

 There's some other documentation online (http://doc.crates.io/faq.html
 #why-do-binaries-have-cargolock-in-version-control-but-not-libraries) as
 well, but the cargo docs aren't always the most helpful :(

 In any case though I'd probably recommend avoiding `"*"` dependencies. If
 you use more targeted dependencies (like `"0.2.24"` which stands for
 "semver compatible with 0.2.24" which is actually `>=0.2.24, < 0.3`) then
 you can typically use `cargo update` to safely update dependencies without
 worrying about actually breaking your code. This'll help to easily pick up
 bug fixes and such in libraries without accidentally introducing breakage
 sometimes.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22905#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list