This PR marks several tests within cache_lock.rs as unsupported on the
AIX platform. The tests relies on flock() behaviour that is not
supported on AIX.
### What does this PR try to resolve?
A user will now be able to use flags like `--workspace` with `cargo
publish`.
`cargo package` will now also work with those flags without having to
pass `--no-verify --exclude-lockfile`.
Many release tools have come out that solve this problem. They will
still need a lot of the logic that went into that for other parts of the
release process.
However, a cargo-native solution allows for:
- Verification during dry-run
- Better strategies for waiting for the publish timeout
`cargo publish` is non-atomic at this time.
If there is a server side error, network error, or rate limit during the
publish, the workspace will be left in a partially published state.
Verification is done before any publishing so that won't affect things.
There are multiple strategies we can employ for improving this over
time, including
- atomic publish
- `--idempotent` (#13397)
- leave this to release tools to manage
This includes support for `--dry-run` verification. As release tools
didn't have a way to do this before, users may be surprised at how slow
this is because a `cargo build` is done instead of a `cargo check`. This
is being tracked in #14941.
This adds to `cargo package` the `--registry` and `--index` flags to
help with resolving dependencies when depending on a package being
packaged at that moment.
These flags are only needed when a `cargo package --workspace` operation
would have failed before due to inability to find a locally created
dependency.
Regarding the publish timeout, `cargo publish --workspace` publishes
packages in batches and we only timeout if nothing in the batch has
finished being published within the timeout, deferring the rest to the
next wait-for-publish. So for example, if you have packages `a`, `b`,
`c` then we'll wait up to 60 seconds and if only `a` and `b` were ready
in that time, we'll then wait another 60 seconds for `c`.
During testing, users ran into issues with `.crate` checksums:
- ~~#15647~~ Fixed for `cargo publish --dry-run` in #15711
- But `cargo package` still has the problem
- #14396 (not been able to reproduce)
- #15622 (reproducible with consecutive `cargo publish` calls)
Fixes#1169Fixes#10948
### How to test and review this PR?
By stabilizing this, Cargo's behavior becomes dependent on an overlay
registry.
When generating a lockfile or verifying a package, we overlay the
locally generated `.crate` files on top of the registry so the registry
appears as it would and everything works.
If there is a conflict with a version, the local version wins which is
important for the dry-run mode of release tools as they won't have
bumped the version yet.
Our concern for the overlay registry is dependency confusion attacks.
Considering this is not accessible for general user operations, this
should be fine.
### What does this PR try to resolve?
cargo-auditable 0.7.0 will use the unstable Cargo SBOM precursor files
if a user configures Cargo to generate the SBOM files. cargo-auditable
assumes that the package ID specifiers in Cargo SBOM files are fully
qualified.
We'd like to enforce this assumption in Cargo so we can keep our package
ID spec parsing simpler by not considering non-fully qualified package
ID specs. This PR updates the cargo docs to state where fully qualified
package ID specs are used, and also adds SBOMs to the existing `cargo
pkgid` test that is currently enforcing consistency between the various
usages of fully qualified package id specs.
Previously raised at [#t-cargo > sbom missing name, version, source @
💬](https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/sbom.20missing.20name.2C.20version.2C.20source/near/525443447)
### How to test and review this PR?
Change doesn't affect current behaviour.
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
|
[cargo-semver-checks](https://redirect.github.com/obi1kenobi/cargo-semver-checks)
| minor | `0.41.0` -> `0.42.0` |
---
### Release Notes
<details>
<summary>obi1kenobi/cargo-semver-checks (cargo-semver-checks)</summary>
###
[`v0.42.0`](https://redirect.github.com/obi1kenobi/cargo-semver-checks/compare/v0.41.0...v0.42.0)
[Compare
Source](https://redirect.github.com/obi1kenobi/cargo-semver-checks/compare/v0.41.0...v0.42.0)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Every minute ( * * * * * ) (UTC),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/rust-lang/cargo).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNy4yIiwidXBkYXRlZEluVmVyIjoiNDEuMTcuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
### What does this PR try to resolve?
This is prep for updating `toml` which will change some of these error
messages
### How to test and review this PR?
### What does this PR try to resolve?
Implements another part of feature unification (#14774,
[rfc](1c590ce05d/text/3692-feature-unification.md)).
The `workspace` option was implemented in #15157, this adds the
`package` option.
### How to test and review this PR?
The important change is changing `WorkspaceResolve` so it can contain
multiple `ResolvedFeature`s. Along with that, it also needs to know
which specs those features are resolved for. This was used in several
other places:
- `cargo fix --edition` (from 2018 to 2021) - I think it should be ok to
disallow using `cargo fix --edition` when someone already uses this
feature.
- building std - it should be safe to assume std is not using this
feature so I just unwrap there. I'm not sure if some attempt to later
feature unification would be better.
- `cargo tree` - I just use the first feature set. This is definitely
not ideal, but I'm not entirely sure what's the correct solution here.
Printing multiple trees? Disallowing this, forcing users to select only
one package?
Based on comments in #15157 I've added tests first with `selected`
feature unification and then changed that after implementation. I'm not
sure if that's how you expect the tests to be added first, if not, I can
change the history.
I've expanded the test checking that this is ignored for `cargo install`
although it should work the same way even if it is not ignored
(`selected` and `package` are the same thing when just one package is
selected).
### What does this PR try to resolve?
I know that us not publishing `build-rs` recently came up and was
surprised to see this wasn't fixed. Unsure where that conversation is or
what happened with it.
Looks like it was in #15567 and there was no follow up on my side...
### How to test and review this PR?
Fixes#15647.
When dry-run publishing workspace without bumping versions first, the
package-verification step would fail because it would see checksum
mismatches between the old lock file (that saw index deps) and the new
lock file where those index deps got replaced by local packages with the
same version.
In this PR, the packaging step modifies the old lock file's checksums
before re-resolving, but only in dry-run mode.
A user will now be able to use flags like `--workspace` with `cargo
publish`.
`cargo package` will now also work with those flags without having to
pass `--no-verify --exclude-lockfile`.
Many release tools have come out that solve this problem.
They will still need a lot of the logic that went into that for other
parts of the release process.
However, a cargo-native solution allows for:
- Verification during dry-run
- Better strategies for waiting for the publish timeout
`cargo publish` is non-atomic at this time.
If there is a server side error, network error, or rate limit during the publish,
the workspace will be left in a partially published state.
Verification is done before any publishing so that won't affect things.
There are multiple strategies we can employ for improving this over time,
including
- atomic publish
- `--idempotent` (#13397)
- leave this to release tools to manage
This includes support for `--dry-run` verification.
As release tools didn't have a way to do this before,
users may be surprised at how slow this is because a `cargo build` is
done instead of a `cargo check`. This is being tracked in #14941.
This adds to `cargo package` the `--registry` and `--index` flags to
help with resolving dependencies when depending on a package being
packaged at that moment.
These flags are only needed when a `cargo package --workspace` operation
would have failed before due to inability to find a locally created
dependency.
Regarding the publish timeout, `cargo publish --workspace` publishes
packages in batches and we only timeout if nothing in the batch has
finished being published within the timeout, deferring the rest to the
next wait-for-publish. So for example, if you have packages `a`, `b`, `c` then
we'll wait up to 60 seconds and if only `a` and `b` were ready in that time,
we'll then wait another 60 seconds for `c`.
During testing, users ran into issues with `.crate` checksums that we've
not been able to reproduce since:
- https://github.com/rust-lang/cargo/issues/1169#issuecomment-2567995987
- #14396
By stabilizing this, Cargo's behavior becomes dependent on an overlay
registry.
When generating a lockfile or verifying a package, we overlay the
locally generated `.crate` files on top of the registry so the registry
appears as it would and everything works.
If there is a conflict with a version, the local version wins which is
important for the dry-run mode of release tools as they won't have
bumped the version yet.
Our concern for the overlay registry is dependency confusion attacks.
Considering this is not accessible for general user operations, this
should be fine.
Fixes#1169Fixes#10948
### What does this PR try to resolve?
This PR changes the triggering `rustc` lint in the
`fix_only_once_for_duplicates` test from `unused_must_use` to
`forgetting_references`, because we are changing in
https://github.com/rust-lang/rust/pull/143030 the interaction between
that lint and macros.
This is required as it blocking the rust PR,
https://github.com/rust-lang/rust/pull/143030#issuecomment-3009124056.
### How to test and review this PR?
Look at the test changes.
This adds a `http.proxy-cainfo` option to Cargo which reads CA
information from a bundle to pass through to the underlying `libcurl`
call. This should allow configuration of Cargo in situations where SSL
proxy is used.
Similar to https://github.com/rust-lang/cargo/pull/2917.
cc #15376
