#22905: Cargo.lock and Cargo.toml specify incompatible dependencies for libc -----------------------------+---------------------------------- Reporter: isis | Owner: Type: defect | Status: merge_ready Priority: Medium | Milestone: Tor: unspecified Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: rust, tor-build | Actual Points: Parent ID: | Points: Reviewer: isis | Sponsor: SponsorZ -----------------------------+----------------------------------
Comment (by isis): Replying to [comment:3 Sebastian]: > The Cargo.lock file is committed on purpose, because we want reproducible builds eventually and builds using exact versions now. In our setup we're building an "internal" library, not something other people would pull in from crates.io. > > The reason we're using "*" is that dependency updates are manual always (they include vendoring a new thing) so accidental updates should be impossible, unless I'm missing something here. If I understood correctly, which I might be wrong or still confused, but I think what was happening is that `cargo fetch` isn't actually looking at the `Cargo.lock` file when it does the dependency resolution, so it sees the `libc = "*"` in `src/rust/tor_util/Cargo.toml`, and it's like "great! 0.2.26 is the latest, I'll grab that" and then later when the build scripts do `cargo build --release --quiet --frozen`, because we're using `--frozen` it finally does look at the `Cargo.lock` file and it gets upset that we don't have precisely version 0.2.22. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22905#comment:10> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs