Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs.rs source view adds Cargo.lock files that are not the crate #2499

Closed
kornelski opened this issue Apr 21, 2024 · 3 comments · Fixed by #2529
Closed

docs.rs source view adds Cargo.lock files that are not the crate #2499

kornelski opened this issue Apr 21, 2024 · 3 comments · Fixed by #2529
Labels
A-backend Area: Webserver backend A-builds Area: Building the documentation for a crate C-bug Category: This is a bug E-easy Effort: Should be easy to implement and would make a good first PR

Comments

@kornelski
Copy link

For example, the source view for homestar-workspace-hack 0.1.0 shows it has a Cargo.lock file. However, the crate tarball (sha256 f8262aa8f1bd0abeb4d0cdf11ec0dcdfef10951df63a4b09741665c9bd7531b1) has no such file.

I would expect the source view to show only files present in the crate tarball. It's concerning that this looks like a "dirty" state after cargo has been run.
@syphar
Copy link
Member

syphar commented May 3, 2024

Hi @kornelski ,

valid point, the file is likely a remainder from the build process, since currently we're copying the source after the builds.

The solution is of course to copy / upload the source before we build the crate, which will also neatly fit into #2467 as an intermediate result we can expose for failed builds.

@syphar syphar added E-easy Effort: Should be easy to implement and would make a good first PR A-builds Area: Building the documentation for a crate A-backend Area: Webserver backend C-bug Category: This is a bug labels May 3, 2024
@kpreid
Copy link

kpreid commented May 21, 2024

The displayed Cargo.lock is also updated, i.e. may contain newer versions than the lock file already present in the package. This just gave me a lot of confusion when trying to figure out why a cargo install --locked build was using versions older than docs.rs showed.

(I imagine that a malicious package could also change its own files during build to hide them from the source view.)

@syphar syphar mentioned this issue Jun 23, 2024
Merged
@syphar
Copy link
Member

syphar commented Jun 23, 2024

I created a PR that will move storing the source files to before the build, after the fetch.

This will also have the advantage that we can browse the sources for some error cases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-backend Area: Webserver backend A-builds Area: Building the documentation for a crate C-bug Category: This is a bug E-easy Effort: Should be easy to implement and would make a good first PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fetch & upload source archive before trying to build syphar/docs.rs
3 participants
@kornelski @syphar @kpreid