-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"cargo install" apparently ignores "Cargo.lock" as opposed to "cargo build" #7169
Comments
This has been changed in 1.37 (beta). Starting in that version the The intent is that We discussed this a bit (#6840 (review) is most relevant). Ideally Cargo would issue a message with a hint to try |
I know, I should probably fix my |
Ah, yea, in that sense there is no change in behavior. I mis-remembered how it used to work. The present stable behavior for It's difficult to balance the defaults here. I think it would be confusing if cargo used |
Ah ok, so I guess it was the first time I ran into this because I deliberately held off on updating a dependency (due to breaking changes) which happens quite rarely... It's good to know that this is the default behaviour, but I think this should be a lot better documented, because it's highly unintuitive and surprising: I think it's the wrong default for binary crates because it means that you're deploying different binaries than you're testing! (In my opinion it would be ok, if |
There's a fairly lengthy paragraph on https://doc.rust-lang.org/nightly/cargo/commands/cargo-install.html that explains how |
I assume this will also be part of the Given that the described behaviour is apparently expected behaviour, I think we can close this issue? |
https://doc.rust-lang.org/nightly/cargo/commands/cargo-install.html has some misleading documentation under "Manifest Options" for
This is untrue for cargo install. In fact, I don't think this can ever succeed for
This is inaccurate for cargo install. If anything, you'd use these flags to use an "out-of-date" lock file - in the sense that all the documentation suggesting
This is technically accurate, but the way it implies it might not need to be updated is kinda confusing, as which crates are used will always be updated without these flags - for the install build at least - regardless of if they "need to be" or not. If this documentation is automatically shared with other commands, it might at least be worth breifly mentioning
?
Instead of trying to guess when an error can be fixed by |
(I also suspect I landed on the "Manifest Options" section by searching the cargo install docs page for "--frozen", which caused me to skip over the earlier/better explaination of locking behavior entirely.) |
Not for now, unfortunately we don't share the man pages with the help text. The long-term intent is to make it available in some fashion.
Yes, it is shared. We can probably make it special-cased for |
In that case I take back what I said earlier: I don't think I'd have the idea to look-up a description of a command online, if said command also has an extensive man page, so I still consider it undocumented behaviour... I also agree with @MaulingMonkey: If this is the desired behaviour, then it should at least generate warnings, something along those lines (modulo wordsmithing):
... possibly followed by a few suggestions on how to deal with the situation (i.e. use (Although I don't know the inner workings of cargo, so I can't judge how much work that would be...) |
(EDIT: Moved to #7495) |
I've hit this in rust-analyzer a couple of times, and I would appreciate the warning. How does this interact with publish-lockfile? Will adding |
publish-lockfile has been removed and is a no-op now. Cargo now automatically publishes the lock file if there are any binaries in the package. |
Let me see if I'm understanding this correctly, because lockfiles have been a pet-peeve of mine in other ecosystems (looking at you NPM).
This seems wrong, since it seems like this whole setup assumes crates are following semantic versioning, strictly. As far as I'm concerned As the author of Rust software, I want to use On the other hand I may find myself using only dependencies who follow "semantic versioning" effectively, and thus may decide to offer users automatic updates for dependencies. In this case I'd need to lock non-conforming dependencies explicitly in the Now, since we do allow published crates to be installed remotely, and some of these crates will become stale, it makes sense to allow new users of software correctly following semantic versioning to automatically get the updates. But this should be an opt-in process, since not all software follows semantic versioning (or is generally capable of handling automatic updates to dependencies). I might be missing a lot of details for why this next idea won't work, but in an automatically updating setup (like one following semver), I think I'd expect to not have a |
I personally would be fine with switching the default There's also a bit of risk that this would change current behavior, which some projects may be relying upon in some way. I'm not sure how things like dh-cargo would be impacted, or what they would prefer. |
It is surprising, indeed, and a security concern too: consider projects/apps that may just provide source tarballs or a repo somewhere, specially small ones within the Linux ecosystem. End-users will download a package and then run
And all this happens even if they have verified the checksums/signatures of their downloads or their checked out signed Git tags! I would say:
|
(This is another example of "I don't want anything to change, but I also want new changes". It's surprising how often this obviously (when expressed in these simple terms) irreconcilable conflict arises :P ) |
As a "simple user" I find this behavior completely unexpected and therefore breaks the most important rule of all rules when it comes to software development: https://en.wikipedia.org/wiki/Principle_of_least_astonishment I have no idea if you have the power to change this, but I would change it even if it breaks backwards compatibility. AFAIU Edit: Also I looked like an idiot reporting this issue in the "Alacritty" repository when this bug is in Cargo. And this is like the second most important rule in UX. Never make your users look stupid. |
@NickeZ I think the "case" that won't work is automatic (potentially security related) updates for downstream installers. However, as I've mentioned above, I believe that should be handled differently. Also, don't worry too much about looking like an idiot. This behavior surprised me too, and having some discussion on it in a now closed issue doesn't bother us. |
Our team got hit by this today and we found this behavior to be very surprising. Consistency is the key here, defaulting to use lock file for something and not for others are very inconsistent / surprising / confusing. |
@est31 Having a lockfile that automatically gets updated is just the worst of both worlds. The reason lockfiles are great because it ensures the output binary behaves exactly the same, not just that the output compiles. If you updated them automatically you'd just run into more esoteric issues that are essentially the same. If I'm uploading a binary to crates.io, I want people to run exactly what I released. I do not want any dependencies updated, even if those are "security" updates. That should be up to me. |
You are aware, I hope, that there are already a lot of people who have a low opinion of distribution channels that aren't Linux distro packages because of how much responsibility they place on the upstream maintainer to respond promptly to security advisories. (i.e. "Look at how badly Docker failed on ensuring a steady supply of security updates! Flatpak and statically linked languages like Go and Rust are evil and should not be allowed!") ...and I don't think there's a simple solution to reconcile the two conflicting needs here. Not to mention that we don't know how places that focus on giving the downstream the tools to protect themselves (eg. lib.rs) would react to packages with stale lockfiles if something like this doesn't include a mechanism for allowing Crates.io to overrule We could easily wind up with packages getting tarred with a bad reputation because they don't meet some externally imposed standard for how quickly security fixes must be rolled out... heck, imposing unreasonable demands for prompt security response on hobby projects was one of the things that sparked a lot of fear in the earlier drafts of the E.U.'s new rules for safer software infrastructure. |
Yes, that includes myself. But this just makes it worse, not better. If you're asking me, then this does nothing (or close to nothing) for security but has significant impact on reliability. You can't just And it's not like
Updating the lockfile changes almost nothing about this. Security issues are introduced in binaries regularly, not just libraries. And it's also possible that a breaking change is required to fix them. If people don't update their software, it's not safe to use, that's just the nature of the beast. |
As a maintainer of some projects I don't yet feel are ready to push to crates.io, I find that GitHub Dependabot is quite good at offering me dependency security fix PRs that pass all my GitHub Actions runs while only doing the kind of semver bumping that (So long as the dependency in question actually offers a minor version update for Dependabot to generate a security-update PR from, of course.)
That smells like a "Perfect solution or status quo. There's no such thing as an incremental improvement." argument to me. ...especially in projects like mine, where I'm generally cautious enough about how I design my things that any vulnerabilities are far more likely to be in my dependencies than in how I'm gluing them together. In the real world, people install unmaintained software. It's just human psychology that "I need this solved now" is a more significant psychological input than "there might be a hidden flaw in this which could bite me later". If anything, the current |
It is nice that cargo does include a hint to try using |
Since concrete instances of issues stemming from not respecting lockfiles are well understood and documented, it would be useful to collect information on concrete instances of the benefits of respecting lockfiles by default. It would be very helpful to know:
For either of these to be evidence that not respecting lockfiles is beneficial, it isn't enough for a crate a dependency to have a bug or security vulnerability, and the semver-compatible version that is selected by |
Other things which would be useful to know:
|
Fucked again by `cargo install` not using the lockfile unless explicitly specified. rust-lang/cargo#7169 Resolves: #641
Commenting on this point a bit more with the whole xz backdoor thing - if my binary package relies on a lib that got social engineered into someone being able to introduce a backdoor (and publish it as patch version), the current default cargo behavior would end up "upgrading" to the backdoored file if one of my users did I think this is another good case for locked to be the default, if the author of a project has a lockfile in place. |
I still think studies need to be done to calculate how often the current behaviour pushes out security updates faster than the dev updates their lock files vs. how often it prevents an exploit from being rolled out. The xz backdoor thing is certainly dramatic, but we don't want to succumb to what I'll call argumentum ad dramatum for now. Reasoning like that leads to people being so scared of dying in an airplane that they discount how you're much more likely to die in the car on the way to the airport. |
Como encuentro una dirección |
I saw that there was a related RFC but it seems this issue is still somewhat active. I ran into significant problems with this trying to use cargo install from a docker container build step against an older Rust version. It is my belief that the current behavior is broken. Having done some small spelunking it appeared that it was only chosen back in 1.39 because there was a desire not to change away from the previous behavior. At this point it's clearly correct to invert the default and provide an
I want to briefly mention that the problem of building an older version is compounded by MSRV which is not respected by cargo when choosing the specific dependency to build against. That's a separate issue. I only mention it because the specific task of building anything against an older Rust version is a major pain point with the tooling right now, and making this small change to |
Here we can see our own infra team being surprised by |
FYI, the problem here is that the publishers of datadog-ci have not uploaded a lockfile to npm. you can verify this by checking out https://www.npmjs.com/package/@datadog/datadog-ci?activeTab=code. It's a separate matter that binary packages should use If |
Ah, I misunderstood then, thanks.
|
I've encountered a strange issue today.
Background: The
percent-encoding
crate recently made a new major release. Knowing that stuff could break I held off on updating the crate because I haven't yet had time to check what changed.Problem
When I compile my binary crate using
cargo build
(with and without--release
) everything builds fine. However, if I compile my binary usingcargo install --path . -f
, compilation fails with an error related topercent-encoding
(the breaking change warranting the major version bump I assume..). In the output I see that it compiledpercent-encoding v2.0.0
instead ofpercent-encoding v1.0.1
as specified inCargo.lock
. (Note: TheCargo.toml
doesn't specify a specific version.)The crate is the following, if you want to try at home:
https://github.com/df5602/bingers
Steps
$ cargo clean
$ cargo build
$ cargo build --release
$ cargo install --path . -f
I can work around it by specifying an explicit version in
Cargo.toml
, but the observed behaviour was surprising to me...Notes
Output of
cargo version
:cargo 1.36.0 (c4fcfb725 2019-05-15)
OS: Mac
The text was updated successfully, but these errors were encountered: