On Mon, Oct 01, 2018 at 10:20:23AM +0200, Sebastien Marie wrote: > On Mon, Oct 01, 2018 at 09:41:25AM +0200, Peter Hessler wrote: > > On 2018 Oct 01 (Mon) at 06:36:07 +0200 (+0200), Sebastien Marie wrote: > > > > Side question, why are these versions hardcoded in the makefile? > > Shouldn't they just use the latest version? > > cargo uses "Cargo.lock" file (generated from "Cargo.toml", which is a > kind of specification for dependencies). It contains the list of all > exact versions for all the dependencies. > > The port's Makefile contains a serie of MODCARGO_CRATES which duplicate > the registered versions in Cargo.lock file in order to download the > tarballs and setting up an "alternate" source directory. So cargo will > use that instead of downloading them over the network. > > One of the purpose (for Rust developers) is to have reproductible build. > So Cargo.lock pins specific versions of all dependencies (and deps of > deps). Usually there are the latest at the time of generation of the > file. It permits also to avoid unwanted breaking changes in some library > the program could use, as the pined versions are part of the release (so > assumed to be tested...) > > When building, cargo will insist to use these specific versions taken > from Cargo.lock, or will try to download them over the network. > > Here, we download a different libc version, but and ask devel/cargo > module to "update" the Cargo.lock for libc. So it will effectively use > an alternative version. Doing so, the OpenBSD ports differ from > "official" exa-0.8.0.
This is utterly stupid. This makes decentralized work 100% impossible, unless all people react instantly all the time. This doesn't work. Reproducible builds is a laudable goal, but it can't work that way. They are well on their way to reproduce the DLL HELL anti-pattern. Or maybe they intend that their "language" only gets used in docker or bouillonkubernates or whatever.
