feat(cargo-vendor): vendor path dep if it is not in any given workspaces #55
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Generally cargo don't vendor path dependencies. This seems quiet reasonable path dependencies are "local" comparing to git or registry dependencies, and usually under the user's control. However, it is not always the case. A workspace might contain * any `[patch]` to local path dependencies * a set of shared path dependencies outside the current workspace These use cases demonstrate that users might not have controls or permissions to those dependencies. When they want to create a reproducible tarball for their own workspace, `cargo vendor` is not a tool helping them achieve the goal. There is one workaround: Have a `[patch]` to a local git repository instead of a lcoal path dependency. This is not ergonomic and adds overhead of setting git repositories. This PR proposes that Cargo vendors path dependencies if they are not belong to any given workspaces. As a side effect, this exposes a new `[source]` kind `path`: ```toml [source."path+file:///path/to/package"] path = "/path/to/package" replace-with = "vendored-sources" ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR try to resolve?
feat(cargo-vendor): vendor path dep if it is not in any given workspaces
Generally cargo don't vendor path dependencies.
This seems quiet reasonable path dependencies are "local" comparing
to git or registry dependencies, and usually under the user's control.
However, it is not always the case.
A workspace might contain
[patch]to local path dependenciesThese use cases demonstrate that users might not have controls or
permissions to those dependencies. When they want to create a
reproducible tarball for their own workspace,
cargo vendoris not atool helping them achieve the goal.
There is one workaround: Have a
[patch]to a local git repositoryinstead of a lcoal path dependency. This is not ergonomic and adds
overhead of setting git repositories.
This PR proposes that Cargo vendors path dependencies if they are
not belong to any given workspaces.
As a side effect, this exposes a new
[source]kindpath:How should we test and review this PR?
This is a proof-of-concept, not ready for serious code review.
Additional information
An alternative to rust-lang#12858
Fixes rust-lang#9172
Possibly also rust-lang#10134, but I am not sure if they intend to vendor workspace members.