[tor-bugs] #22905 [Core Tor/Tor]: Cargo.lock and Cargo.toml specify incompatible dependencies for libc
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 13 18:45:29 UTC 2017
#22905: Cargo.lock and Cargo.toml specify incompatible dependencies for libc
-----------------------------+----------------------------------
Reporter: isis | Owner:
Type: defect | Status: merge_ready
Priority: Medium | Milestone: Tor: unspecified
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: rust, tor-build | Actual Points:
Parent ID: | Points:
Reviewer: isis | Sponsor: SponsorZ
-----------------------------+----------------------------------
Comment (by isis):
Replying to [comment:3 Sebastian]:
> The Cargo.lock file is committed on purpose, because we want
reproducible builds eventually and builds using exact versions now. In our
setup we're building an "internal" library, not something other people
would pull in from crates.io.
>
> The reason we're using "*" is that dependency updates are manual always
(they include vendoring a new thing) so accidental updates should be
impossible, unless I'm missing something here.
If I understood correctly, which I might be wrong or still confused, but I
think what was happening is that `cargo fetch` isn't actually looking at
the `Cargo.lock` file when it does the dependency resolution, so it sees
the `libc = "*"` in `src/rust/tor_util/Cargo.toml`, and it's like "great!
0.2.26 is the latest, I'll grab that" and then later when the build
scripts do `cargo build --release --quiet --frozen`, because we're using
`--frozen` it finally does look at the `Cargo.lock` file and it gets upset
that we don't have precisely version 0.2.22.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22905#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list