fix: Change the defaults to always check-in Cargo.lock
#12382
Conversation
When the guide was written, it only included Travis CI. For while, it was *the* CI service people used. However, since git hosting services have been integrating CI support and with Travis CI's new owners, market share has been going down. One estimate I found said that Travis CI's market share is 0.94%. If we had a compelling reason to include it, independent of that, I would. However, including it and making it first in the list is a distraction. There are CI services in more common use (e.g. CircleCI, Jenkins) to include at this point over Travis.
|
r? @weihanglo (rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
A-documenting-cargo-itself
|
I've marked this as a draft until the FCP is closed. |
Before, we were fairly prescriptive of when to check-in the `Cargo.lock` file. The guidance has been updated to instead explain the trade offs and to mostly leave it in users hands. As a starting point, we do say to check it in for those that want an "easy answer".
Following the default guidance to commit a lockfile, this updates `cargo new` to do it by default.
There was a problem hiding this comment.
Haven't really looked into it yet. Should we take care of source files traversal and cargo package as well?
cargo/src/cargo/ops/cargo_package.rs
Lines 268 to 274 in 1b15556
cargo/src/cargo/sources/path.rs
Lines 182 to 186 in 1b15556
|
I believe both of those cases are more about what your users have access to. In theory, users of a lib should not be affected by a |
|
Forgot to add, this is not just a draft until the FCP window closes but the cargo team was also wanting to wait on this until after the next beta branch so we get 12 weeks of feedback before this hits stable. |
|
☔ The latest upstream changes (presumably #12397) made this pull request unmergeable. Please resolve the merge conflicts. |
There are some usecases that use packaged |
|
Looks like rust-1.73.0 has been branched so I assume we are good to merge. |
|
Ed, thanks for your effort to this! Also thanks everyone for providing lots of useful practices and considerations. Hold on. We're now full speed ahead! @bors r+ |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-actions |
| about why that is, see | ||
| ["Why do binaries have `Cargo.lock` in version control, but not libraries?" in the | ||
| FAQ](../faq.md#why-do-binaries-have-cargolock-in-version-control-but-not-libraries). | ||
| When in doubt, check `Cargo.lock` into git. |
There was a problem hiding this comment.
Just found this. We may use version control system instead.
| When in doubt, check `Cargo.lock` into git. | |
| When in doubt, check `Cargo.lock` into the version control system (e.g. Git). |
This is a follow up to rust-lang#12382
docs(guide): Generalize over VCSs This is a follow up to #12382
| - Only uses the resources necessary | ||
| - Can configure the frequency to balance CI resources and coverage of dependency versions | ||
|
|
||
| An example CI job to verify latest dependencies, using Github Actions: |
There was a problem hiding this comment.
Really minor but this should probably be "GitHub" (with capital "H"). That would also be consistent with the other references in this file.
| @@ -1,25 +1,8 @@ | |||
| ## Continuous Integration | |||
|
|
|||
| ### Travis CI | |||
| ### Getting Started | |||
There was a problem hiding this comment.
Is this header here really needed? And also, in general maybe the header levels have to be adjusted to be semantically more useful?
Currently the header hierarchy looks like this:
- Continuous Integration
- Getting Started
- GitHub Actions
- GitLab CI
- builds.sr.ht
- Verifying Latest Dependencies
Maybe something like this would be better?
- Continuous Integration
- <no sure how to name this>
- GitHub Actions
- GitLab CI
- builds.sr.ht
- Verifying Latest Dependencies
- <no sure how to name this>
|
Fixed these in #12630 |
docs(guide): Apply feedback on CI See #12382
Including Cargo.lock is recommended now to get reproducible builds, see rust-lang/cargo#12382
What does this PR try to resolve?
Having libraries leave
Cargo.lock"on the float" has been serving the ecosystem well, includingThese benefits are limited though. The policy is inconsistent between workspaces with or without
[[bin]]s, reducing the affect of testing the latest. This is also subject to when CI last ran; for passively maintained projects, there is little coverage of new dependencies.There are also costs associated with this policy
git bisectis using an unpredictable set of dependencies, affecting the ability to identify root causeIn particular, since this policy was decided, there has been an increased interest in supporting an MSRV (as recently as v1.56.0, cargo gained support for specifying a package's MSRV). This has led to long discussions on what MSRV a package should use (e.g. rust-lang/libs-team#72,. time-rs/time#535). Worst, there has been a growing trend for people to set an non-semver upper bound on dependencies, making it so packages can't work well with other packages (see #12323). Tooling support would help with this (#9930) but the sooner we address this, the less entrenched bad practices will be.
On the positive side, since the policy was decided
So to get some of the benefit from not checking in
Cargo.lock, we can recommend either automatically applying updates or having CI check the latest dependencies in a way to get this out of the critical path of PRs and releases.Since there is no one right answer on how to solve all of these problems, we're documenting these trade offs so people can make the choice that is most appropriate for them. However, we are changing the default to a consistent "always check it in" as the answer for those who don't want to think about it.
Prior art
Fixes #8728
How should we test and review this PR?
Please review per-commit. I tried to minimize changes I made to the structure of the CI document
In #8728, I brought up having a CI reference page. I keep going back and forth on whether this is guide-level material or reference-level material. Obviously, right now I'm leaning towards it being guide-level.
Additional information
This changes cargo from telling people what to do to giving them a starting point, or default, and giving them the information to make their own choice, if needed.
So the question for defaults is who are we targeting? For a default path in documentation, it would be for new to intermediate users. As for
cargo new, we've been prioritizing new users over those that run it frequently (boiler plate comment, bin is default, etc).See #8728 for the FCP on this policy change