-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cargo metadata
: provide an option not to collect data about dev-dependencies
#14794
Comments
Correct me if I'm wrong. |
In those situations, it isn't only Also, the dependency resolver can skip dev dependencies today but I'm unsure if that is hard requirement for the use cases that use it or if we could move that to a later stage which would have a lot of other benefits for Cargo. However, that would be a no- I have been toying with how we could construct an alternative set of plumbing commands that could give more control or be swapped out with custom logic in different situations. We'd need a lot of experimentation in third party code before we could have a good feel for for whether these would meet people's needs and not overly restrict Cargo. |
Ideally, yes. That would also take care of #10718. But really, anything that doesn't require the contents of the .crate files for dev-dependencies to be present would do. I'm not familiar with Cargo internals, so I cannot really tell what the best "under the hood" mechanism would be.
Well,
A machine-readable output for For |
Oh, right. If you are using the registry and not vendored dependencies, the Index will be used for dependency resolution so The problem comes in when we get the extended information for including in the metadata output that we need the However, this is Debian. I would assume a registry is not being used. Are the |
@alexanderkjall since you worked on the integration into Debian, could you explain to Cargo developers how the Debian build process for Rust packages works and how it avoids using the dev-dependencies? |
I tried to write something, I'm not really sure if I hit the correct abstraction level here at all, so please ask more questions if needed: How does building binaries from rust source work in Debian: Debian does not allow the build servers to fetch source code from the internet while building, instead all source code that generates a binary must be already packaged and part of Debian before the build of the binary can happen. There is also a concept of source packages and binary packages in Debian, with rust this gets a tad complicated. For rust-libraries the debian-binary package contains the source code of the library (for C it would contain the .so file), but for rust-binaries the debian-binary package contains the binary. Here is an example of the content of a Debian-binary package built from rust: And here is the Debian-source package for that: For libraries this looks like this: https://packages.debian.org/source/sid/rust-futures-channel This means that Debian mirrors the dependency resolution system in cargo in it's own package system. The build then first does the dependency resolution on the Debian side, and installs librust--dev packages, these packages only contain rust source code that gets placed into /usr/share/cargo/registry/ . Of note is also that the dependency resolution on Debians side is recursive, we read the content of Cargo.toml and only insert those entries into the dependency list, and then the apt dependency resolution will walk the tree and pull in what is needed. Debian do not respect/care about the Cargo.lock file. Testing of the source code is also slightly involved, tests in Debian are run in a separate section from the normal build, called autopkgtest, and we run those per feature plus all-features and no-features. The dev-dependencies gets added as to the Depends: row for the autopkgtest section, but not the build section. One important aspect of why this is loops in the dependency tree, it's quite common that a -derive package dev-depends on the main package in rust and if those dev-dependencies got added to the build Depends in Debian we would end up with a loop in the build system that it can't handle. |
adding some more bits: there's actually two different ways we test crate sources in Debian packaging:
in both cases, the dev-dependencies are not used as part of the regular build, but just for the (decoupled, running after packages are built) autopkgtests. for regular package building, we use a cargo wrapper that (among other things) injects so in summary, it would be great if cargo could be taught to ignore referenced crates not existing for various actions - it would make our packaging life easier. it's not required to build and test packages though, as that part is already handled by the existing options in cargo. (similarly, it would be great to be able to tell cargo to ignore the non-existence of dependencies for targets that are not currently being looked at/built for/.., as we have to patch such things out, and it causes a lot of meaningless patch churn when pulling in updates - but that is probably a separate issue ;)) |
So it sounds like Debian is working around this via #5133 and what they really are wanting is some staiblized form of that that would then be used by all of the third-party commands. In that case, would the appropriate thing to do is to shift the conversation over to #5133 or is there something distinct about this request? |
From the |
What is missing from it? |
Both I've tried it both with and without the |
So this should be treated more as a bug report against The name just says to "avoid" not to exclude. This matches some of the long form descriptions like for the feature
However, the summary is different
(and then there is the This came up because the flag /// `true` if this workspace should enforce optional dependencies even when
/// not needed; false if this workspace should only enforce dependencies
/// needed by the current configuration (such as in cargo install). In some
/// cases `false` also results in the non-enforcement of dev-dependencies.
require_optional_deps: bool, Without With this meaning, I can see either keeping the hard coded As this is an unstable feature without a clear path to stabilization and not much feedback on people want, I lean towards the latter. If we do that, we need to call it out in the tracking issue so we keep it in mind if we ever get around to stabilization. |
We talked about this in the last Cargo team meeting. We are fine with this moving forward. As there isn't a clear path to stabilizing |
Problem
In certain environments that tightly control dependencies (e.g. for the purposes of supply-chain security) the dev-dependencies are not present when code is compiled. But
cargo metadata
always tries to collect data for the entire dependency tree, including dev-dependencies. It errors out and reports no info if dev-dependencies are missing.In practical terms this blocks the deployment of
cargo auditable
(which relies oncargo metadata
) within Debian (which does not package dev-dependencies).This is similar to #10718, but this isn't just a problem with feature unification - the dev-dependency packages are not present at all.
Proposed Solution
Adding a new flag,
--no-dev-deps
(following the precedent of the existing--no-deps
flag) so thatcargo metadata
wouldn't attempt to query dev-dependencies would resolve this.Cargo generating a SBOM natively would also solve this by letting
cargo auditable
bypasscargo metadata
completely. But that's going to take a long time to reach stable. That feature isn't even on nightly yet, since the reviews of the RFC and the implementation PR seem to have stalled.Making it possible to query
cargo metadata
without requiring dev-dependencies to be present seems like a simpler and more straightforward change that shouldn't require as much design and stabilization work.Notes
cargo auditable
got a lot of uptake from Linux distributions. 5 distros, including Alpine and NixOS, are already building all their Rust packages with it. There is also interest from Debian, but this issue makes adoptingcargo auditable
a non-starter in their environment.The text was updated successfully, but these errors were encountered: