99075f2a47
fetch specific commits even if the github fast path fails
### What does this PR try to resolve?
This PR fixes #13555, which describes a regression from 1.64.0 to 1.65.0 where the inability to fetch commit information from api.github.com (the "GitHub fast path") silently changes Cargo's behavior.
Cargo can fetch a specific Git commit from a remote without having to fetch all refs. Prior to #10807, this functionality required a repository hosted on github.com and providing the full commit hash (usually available from the Cargo.lock); after that change, any revision (including abbreviated revisions) that could be resolved by GitHub's API could be fetched directly. However, this logic requires the "GitHub fast path", which was not intended to be robust, to successfully return the resolved commit hash; if a client is currently rate-limited by api.github.com (very common in CI and shared cloud / corporate environments) this fails and Cargo falls back to fetching all refs.
Usually this is not noticeable. However, GitHub allows fetching commits that are related to the repository but not actually part of any of its refs, including commits pushed to a fork. This results in the same command working fine in some environments where api.github.com is accessible, and not working in other environments that are rate-limited, which is very confusing and difficult to debug.
This change adds another branch to cover the regression case: if we are going through the GitHub fast path with a full commit hash, return early indicating that we need to fetch it. (Previously: ~~when the GitHub fast path was unsuccessful, the user is not using the unstable shallow clone options, and we have a full commit hash and expect to be able to fetch it directly because we know it's a github.com repository.~~)
### How should we test and review this PR?
I have been testing this PR by temporarily adding a `0.0.0.0 api.github.com` entry to my `/etc/hosts`, which causes the GitHub fast path to always fail, then running:
```
target/release/cargo install --git https://github.com/haha-business/unstable-test-repo.git --rev c9040898c9183ddbb9402dcbf749ed06d6ea90ad
```
This refers to [a particular commit on a fork of the repo](c9040898c9) which won't be found by the fallback path or current Cargo.
**Note** that you will need to delete `~/.cargo/git/checkouts/unstable-test-repo-*` and `~/.cargo/git/db/unstable-test-repo-*` after a successful run with this change in order to reproduce the broken behavior of the current release.
I am having trouble getting the test suite to run at all on my system so I haven't experimented with writing a specific test for this case, but I probably should.
### Additional information
This uses the same logic as the unstable shallow clone support to detect if the revision is a full commit hash. This is not compatible with SHA-256 commit hashes; `git2::Oid` specifically expects a 40-character hexadecimal string. Given that the change introducing this bug was meant to future-proof SHA-256 support (despite only doing so for GitHub repositories), it might be good to make the logic more explicit within Cargo and allow either 40- or 64-character hex strings.
I wanted to keep this change focused on the regression fix, but in testing, pretty much every Git repository I could think of (including non-forges, like git.kernel.org and some repositories I host on my own infrastructure with cgit) supports fetching directly from a commit, so it would be ideal to eventually relax the GitHub requirement for this functionality. However, it would need some sort of fallback logic because I suspect the HTTP [dumb protocol](https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols) doesn't support commit references, and I haven't researched when this functionality was added to the smart protocol.
Cargo
Cargo downloads your Rust project’s dependencies and compiles your project.
To start using Cargo, learn more at The Cargo Book.
To start developing Cargo itself, read the Cargo Contributor Guide.
Code Status
Code documentation: https://doc.rust-lang.org/nightly/nightly-rustc/cargo/
Installing Cargo
Cargo is distributed by default with Rust, so if you've got rustc installed
locally you probably also have cargo installed locally.
Compiling from Source
Requirements
Cargo requires the following tools and packages to build:
cargoandrustc- A C compiler for your platform
git(to clone this repository)
Other requirements:
The following are optional based on your platform and needs.
-
pkg-config— This is used to help locate system packages, such aslibsslheaders/libraries. This may not be required in all cases, such as using vendored OpenSSL, or on Windows. -
OpenSSL — Only needed on Unix-like systems and only if the
vendored-opensslCargo feature is not used.This requires the development headers, which can be obtained from the
libssl-devpackage on Ubuntu oropenssl-develwith apk or yum or theopensslpackage from Homebrew on macOS.If using the
vendored-opensslCargo feature, then a static copy of OpenSSL will be built from source instead of using the system OpenSSL. This may require additional tools such asperlandmake.On macOS, common installation directories from Homebrew, MacPorts, or pkgsrc will be checked. Otherwise it will fall back to
pkg-config.On Windows, the system-provided Schannel will be used instead.
LibreSSL is also supported.
Optional system libraries:
The build will automatically use vendored versions of the following libraries. However, if they are provided by the system and can be found with pkg-config, then the system libraries will be used instead:
libcurl— Used for network transfers.libgit2— Used for fetching git dependencies.libssh2— Used for SSH access to git repositories.libz(aka zlib) — Used for data compression.
It is recommended to use the vendored versions as they are the versions that are tested to work with Cargo.
Compiling
First, you'll want to check out this repository
git clone https://github.com/rust-lang/cargo.git
cd cargo
With cargo already installed, you can simply run:
cargo build --release
Adding new subcommands to Cargo
Cargo is designed to be extensible with new subcommands without having to modify Cargo itself. See the Wiki page for more details and a list of known community-developed subcommands.
Releases
Cargo releases coincide with Rust releases. High level release notes are available as part of Rust's release notes. Detailed release notes are available in this repo at CHANGELOG.md.
Reporting issues
Found a bug? We'd love to know about it!
Please report all issues on the GitHub issue tracker.
Contributing
See the Cargo Contributor Guide for a complete introduction to contributing to Cargo.
License
Cargo is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0).
See LICENSE-APACHE and LICENSE-MIT for details.
Third party software
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/).
In binary form, this product includes software that is licensed under the terms of the GNU General Public License, version 2, with a linking exception, which can be obtained from the upstream repository.
See LICENSE-THIRD-PARTY for details.