[
https://issues.apache.org/jira/browse/THRIFT-4758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16753995#comment-16753995
]
Allen George commented on THRIFT-4758:
--------------------------------------
The rationale (AFAICT) is that as the library author you specify the
minimum/maximum dependencies your library can use, and then when the
application is built Cargo will figure out how to solve all the constraints
across all libraries it uses. At that point you check in your lock file for
reproducible builds. If I specify a lock file here I'll end up limiting the
usable dependencies downstream.
> We gitignore and do not check in config lock files in many languages - isn't
> that bad?
> --------------------------------------------------------------------------------------
>
> Key: THRIFT-4758
> URL: https://issues.apache.org/jira/browse/THRIFT-4758
> Project: Thrift
> Issue Type: Bug
> Components: Build Process, D - Library, Dart - Library, PHP -
> Library, Ruby - Library, Rust - Compiler
> Affects Versions: 0.12.0
> Reporter: James E. King III
> Priority: Major
>
> In npm we check in the package-lock.json file because that ensures your
> builds are stable over time. The cost you pay is that occasionally you need
> to rev the file manually. The benefit is a changed package won't bork your
> build.
> I have identified in the following languages we are ignoring and not checking
> in the package lock files:
> d (dub)
> dart
> php (top level composer.jock)
> ruby
> rust
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
