0322bdd37a
### What does this PR try to resolve? A user will now be able to use flags like `--workspace` with `cargo publish`. `cargo package` will now also work with those flags without having to pass `--no-verify --exclude-lockfile`. Many release tools have come out that solve this problem. They will still need a lot of the logic that went into that for other parts of the release process. However, a cargo-native solution allows for: - Verification during dry-run - Better strategies for waiting for the publish timeout `cargo publish` is non-atomic at this time. If there is a server side error, network error, or rate limit during the publish, the workspace will be left in a partially published state. Verification is done before any publishing so that won't affect things. There are multiple strategies we can employ for improving this over time, including - atomic publish - `--idempotent` (#13397) - leave this to release tools to manage This includes support for `--dry-run` verification. As release tools didn't have a way to do this before, users may be surprised at how slow this is because a `cargo build` is done instead of a `cargo check`. This is being tracked in #14941. This adds to `cargo package` the `--registry` and `--index` flags to help with resolving dependencies when depending on a package being packaged at that moment. These flags are only needed when a `cargo package --workspace` operation would have failed before due to inability to find a locally created dependency. Regarding the publish timeout, `cargo publish --workspace` publishes packages in batches and we only timeout if nothing in the batch has finished being published within the timeout, deferring the rest to the next wait-for-publish. So for example, if you have packages `a`, `b`, `c` then we'll wait up to 60 seconds and if only `a` and `b` were ready in that time, we'll then wait another 60 seconds for `c`. During testing, users ran into issues with `.crate` checksums: - ~~#15647~~ Fixed for `cargo publish --dry-run` in #15711 - But `cargo package` still has the problem - #14396 (not been able to reproduce) - #15622 (reproducible with consecutive `cargo publish` calls) Fixes #1169 Fixes #10948 ### How to test and review this PR? By stabilizing this, Cargo's behavior becomes dependent on an overlay registry. When generating a lockfile or verifying a package, we overlay the locally generated `.crate` files on top of the registry so the registry appears as it would and everything works. If there is a conflict with a version, the local version wins which is important for the dry-run mode of release tools as they won't have bumped the version yet. Our concern for the overlay registry is dependency confusion attacks. Considering this is not accessible for general user operations, this should be fine.
Cargo
Cargo downloads your Rust project’s dependencies and compiles your project.
To start using Cargo, learn more at The Cargo Book.
To start developing Cargo itself, read the Cargo Contributor Guide.
The Cargo binary distributed through with Rust is maintained by the Cargo team for use by the wider ecosystem. For all other uses of this crate (as a binary or library) this is maintained by the Cargo team, primarily for use by Cargo and not intended for external use (except as a transitive dependency). This crate may make major changes to its APIs.
Code Status
Code documentation: https://doc.rust-lang.org/nightly/nightly-rustc/cargo/
Compiling from Source
Requirements
Cargo requires the following tools and packages to build:
cargoandrustc- A C compiler for your platform
git(to clone this repository)
Other requirements:
The following are optional based on your platform and needs.
-
pkg-config— This is used to help locate system packages, such aslibsslheaders/libraries. This may not be required in all cases, such as using vendored OpenSSL, or on Windows. -
OpenSSL — Only needed on Unix-like systems and only if the
vendored-opensslCargo feature is not used.This requires the development headers, which can be obtained from the
libssl-devpackage on Ubuntu oropenssl-develwith apk or yum or theopensslpackage from Homebrew on macOS.If using the
vendored-opensslCargo feature, then a static copy of OpenSSL will be built from source instead of using the system OpenSSL. This may require additional tools such asperlandmake.On macOS, common installation directories from Homebrew, MacPorts, or pkgsrc will be checked. Otherwise it will fall back to
pkg-config.On Windows, the system-provided Schannel will be used instead.
LibreSSL is also supported.
Optional system libraries:
The build will automatically use vendored versions of the following libraries. However, if they are provided by the system and can be found with pkg-config, then the system libraries will be used instead:
libcurl— Used for network transfers.libgit2— Used for fetching git dependencies.libssh2— Used for SSH access to git repositories.libz(AKA zlib) — Used by the above C libraries for data compression. (Rust code useszlib-rsinstead.)
It is recommended to use the vendored versions as they are the versions that are tested to work with Cargo.
Compiling
First, you'll want to check out this repository
git clone https://github.com/rust-lang/cargo.git
cd cargo
With cargo already installed, you can simply run:
cargo build --release
Adding new subcommands to Cargo
Cargo is designed to be extensible with new subcommands without having to modify Cargo itself. See the Wiki page for more details and a list of known community-developed subcommands.
Releases
Cargo releases coincide with Rust releases. High level release notes are available as part of Rust's release notes. Detailed release notes are available in the changelog.
Reporting issues
Found a bug? We'd love to know about it!
Please report all issues on the GitHub issue tracker.
Contributing
See the Cargo Contributor Guide for a complete introduction to contributing to Cargo.
License
Cargo is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0).
See LICENSE-APACHE and LICENSE-MIT for details.
Third party software
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/).
In binary form, this product includes software that is licensed under the terms of the GNU General Public License, version 2, with a linking exception, which can be obtained from the upstream repository.
See LICENSE-THIRD-PARTY for details.