Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lockfile published with 0.2.14 is incorrect (somehow) #917

Closed
bossmc opened this issue Jan 4, 2021 · 2 comments
Closed

Lockfile published with 0.2.14 is incorrect (somehow) #917

bossmc opened this issue Jan 4, 2021 · 2 comments
Milestone

Comments

@bossmc
Copy link

bossmc commented Jan 4, 2021

Trying to use cargo install --locked sccache builds a version of sccache with lru-disk-cache v0.4.0 and thus linked-hash-map v0.2.1 (which no longer works as of rust 1.48.0, as reported in #887). If you drop the --locked then cargo (currently) chooses lru-disk-cache v0.4.1 and thus linked-hash-map v0.5.3 which works fine, but doing this undermines repeatability of the build.

This looks to be because the published crate's lockfile specifies old dependencies:

$ cargo download sccache==0.2.14 > sccache.tgz
INFO: cargo-download v0.1.2
INFO: Crate `sccache==0.2.14` downloaded successfully
$ tar xf sccache.tgz 
$ cd sccache-0.2.14/
$ cargo tree --locked --invert -p linked-hash-map
linked-hash-map v0.2.1
└── lru-disk-cache v0.4.0
    └── sccache v0.2.14 (/home/andy/src/mudlark/example-ubuntu/sccache-0.2.14)
$ grep -C 5 linked-hash-map Cargo.lock 
 "nix 0.14.1",
 "quick-error",
]

[[package]]
name = "linked-hash-map"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bda158e0dabeb97ee8a401f4d17e479d6b891a14de0bba79d5cc2d4d325b5e48"

[[package]]
--
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fe11d7e96dc49221e0d1a53084a3702e7f850ab6f626101ddd25355b80780270"
dependencies = [
 "filetime 0.1.15",
 "linked-hash-map",
 "log 0.3.9",
 "walkdir 1.0.7",
]

Weirdly, the Cargo.lock at the 0.2.14 tag has the updated versions in it, and the .cargo_vcs_info.json file says:

{
  "git": {
    "sha1": "655ef1a69691be4fcdcb8990dfca1001df5af129"
  }
}

Which agrees with the commit of the tag, but the code in the crate archive doesn't match... Maybe the publish was done on a unclean codebase?

@glandium glandium added this to the 0.2.15 milestone Jan 6, 2021
@glandium
Copy link
Collaborator

glandium commented Jan 8, 2021

#923 made it so that lru-disk-cache is not a separate crate anymore, so this problem will go away in next release, hopefully soon.

@glandium glandium closed this as completed Jan 8, 2021
@bossmc
Copy link
Author

bossmc commented Jan 19, 2021

This (plus the yank of lru-disk-cache) means that sccache 0.2.14 can no longer be installed (with --locked you get #887, without you get #924).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants