Add --locked flag to Rust formulae with a Cargo.lock file

[samford]

The related PR that brought attention to this issue (#45839) is now merged and less visible, so I wanted to create an issue to continue any discussion around the --locked flag, track progress on related formulae updates, and to have something that people can see and reference.

The general idea here is that Rust formulae typically use cargo install to build/install but haven't been using the --locked flag, so builds aren't reproducible and can eventually fail over time if a dependency adds a breaking change in a newer version. In contrast to cargo build, by default cargo install uses the latest dependencies in the build rather than the ones found in Cargo.lock. Adding the --locked flag makes cargo install use the dependency versions in the Cargo.lock file, which is generally what you would expect when you're trying to build a binary of a specific version/revision of a project.

I threw together a little script that goes through the formulae and identifies which have the --locked flag already and which still potentially need it. I've created lists of the formulae 1) with no Cargo.lock file, 2) with a Cargo.lock file now added to the repo but not yet in a release, 3) with a Cargo.lock file but no --locked flag, and 4) with a Cargo.lock file and the --locked flag (i.e., finished).

Feel free to mention this issue in any related PR, as I'll be trying to keep this relatively up to date to track progress.

Does Not Have Cargo.lock

• pngquant.rb (open issue: Add Cargo.lock file kornelski/pngquant#347)

Cargo.lock Added but Not Yet in a Release

• shellharden.rb (PR: shellharden: add --locked flag to cargo install #46159, closed issue: Add Cargo.lock file anordal/shellharden#28)
• svgcleaner.rb (repository archived, open issue: Add back Cargo.lock to source tarball RazrFalcon/svgcleaner#157)

Has Cargo.lock and Needs --locked Flag

• git-series.rb (closed PR: git-series: add --locked flag to cargo install #46176 ----- Build fails due to errors that are fixed in upstream master but not yet in a release; --locked flag will be added in the next release after 0.9.1)
• rust.rb (Rust and Racer have lock files but not Cargo)

Has Cargo.lock and --locked Flag

• angle-grinder.rb (PR: angle-grinder: add --locked flag to cargo install #46148)
• badtouch.rb (PR: badtouch: add --locked flag to cargo install #46182)
• bat.rb (PR: bat: Add --locked flag to cargo install #46134)
• boringtun.rb (PR: boringtun: add --locked flag to cargo install #46183)
• broot.rb (PR: broot: add --locked flag to cargo install #46184)
• click.rb (PR: click: add --locked flag to cargo install #46185)
• cmdshelf.rb (PR: cmdshelf: add --locked flag to cargo install #46186)
• deno.rb (PR: deno 0.22.0 #45914)
• diffr.rb (PR: diffr: add --locked flag to cargo install #46187)
• diskus.rb (PR: diskus: add --locked flag to cargo install #46188)
• dssim.rb (PR: dssim 3.0.0 #70643, closed issue: Add Cargo.lock file kornelski/dssim#59)
• dust.rb (PR: dust: add --locked flag to cargo install #46189)
• fastmod.rb (PR: fastmod: add --locked flag to cargo install #46190)
• fd.rb (PR: fd: Add --locked flag to cargo install #46135)
• ffsend.rb (PR: ffsend: Bump version and add --locked flag to cargo install #46139)
• fselect.rb (PR: fselect: add locked flag to cargo install #46624, closed issue: Add Cargo.lock file jhspetersson/fselect#61)
• geckodriver.rb (PR: geckodriver 0.26.0 #45906)
• genact.rb (PR: genact: Add --locked flag to cargo install #46141)
• gifski.rb (PR: gifski: add --locked flag to cargo install #46173)
• git-absorb.rb (PR: git-absorb: add --locked flag to cargo install #46174)
• git-delta.rb (PR: git-delta: add --locked flag to cargo install #46175)
• gleam.rb (PR: gleam: add --locked flag to cargo install #46177)
• grin.rb (PR: grin 2.1.1 (new formula) #45946)
• grin-wallet.rb (PR: grin-wallet 2.1.0 (new formula) #45833)
• hexyl.rb (PR: hexyl: Add --locked flag to cargo install #46138)
• hyperfine.rb (PR: hyperfine: Add --locked flag to cargo install #46075)
• interactive-rebase-tool.rb (PR: interactive-rebase-tool: add --locked flag to cargo install #46178)
• just.rb (PR: just: add --locked flag to cargo install #46179)
• ktmpl.rb (PR: ktmpl: add --locked flag to cargo install #46180)
• loc.rb (PR: loc: add --locked flag to cargo install #46181)
• lsd.rb (PR: lsd: Add --locked flag to cargo install #46142)
• mdbook.rb (PR: mdbook: Add --locked flag to cargo install #46144)
• mdcat.rb (PR: mdcat: add --locked flag to cargo install #46171)
• miniserve.rb (PR: miniserve: add --locked flag to cargo install #46172)
• nushell.rb (PR: nushell: 0.5.0, add --locked flag to cargo install #46505)
• onefetch.rb (PR: onefetch 1.6.5 (new formula) #45878)
• oxipng.rb (PR: oxipng: add --locked flag to cargo install #46164)
• pastel.rb (PR: pastel: add --locked flag to cargo install #46165)
• pijul.rb (PR: pijul: Add --locked flag to cargo install #46073)
• procs.rb (PR: procs: add --locked flag to cargo install #46166)
• rargs.rb (PR: rargs: add --locked flag to cargo install #46167)
• rbspy.rb (PR: rbspy: add --locked flag to cargo install #46168)
• ripgrep.rb (PR: ripgrep: Add --locked flag to cargo install #46133)
• ripgrep-all.rb (PR: ripgrep-all: add --locked flag to cargo install #46169)
• rustup-init.rb (PR: rustup-init: add --locked flag to cargo install #46170)
• sccache.rb (PR: sccache: add --locked flag to cargo install #46156)
• sd.rb (PR: sd: add --locked flag to cargo install #46157)
• shadowenv.rb (PR: shadowenv: add --locked flag to cargo install #46158)
• sk.rb (PR: sk: add --locked flag to cargo install #46160)
• sn0int.rb (PR: sn0int: add --locked flag to cargo install #46161)
• ssh-permit-a38.rb (PR: ssh-permit-a38: add --locked flag to cargo install #46162)
• starship.rb (PR: starship: Bump version and add --locked flag to cargo install #46140)
• tealdeer.rb (PR: tealdeer: Add --locked flag to cargo install #46079)
• tectonic.rb (PR: tectonic: add --locked flag to cargo install #46149)
• toast.rb (PR: toast: add --locked flag to cargo install #46150)
• tokei.rb (PR: tokei: add --locked flag to cargo install #46151)
• topgrade.rb (PR: topgrade: add --locked flag to cargo install #46152)
• wagyu.rb (PR: wagyu: add --locked flag to cargo install #46153)
• watchexec.rb (PR: watchexec: add --locked flag to cargo install #46154)
• websocat.rb (PR: websocat: add --locked flag to cargo install #46155)
• xsv.rb (PR: xsv: Add --locked flag to cargo install #46137)
• zola.rb (PR: Zola: Add --locked flag to cargo install command, update sha256 checksum #45839)

[samford]

On to questions and comments.

When updating these formulae, if there isn't a new version available to bump the version at the same time, should we bump the revision? That is to say, if we want the bottles to be rebuilt (using the --locked flag) and for users to get an updated binary, does that require bumping the revision? Once this is answered, I can start going through the list in my free time to tackle some of these formulae changes.

I saw that the formula_creator.rb file was updated (Homebrew/brew#6664), so the default cargo install command now contains the --locked flag. The following files in the Homebrew/brew repo may still need to be modified as well:

• /Library/Homebrew/rubocops/text.rb
• /Library/Homebrew/test/rubocops/text_spec.rb

Per the previous discussion (in the aforementioned PR), it may be necessary to create an audit for the --locked flag (when cargo install is used to build/install). Just to be clear, I don't know enough about Homebrew's internals to take care of this, so this is something that someone else will have to handle.

In general, if anyone has any additional comments/guidelines on how this should be tackled, please do let me know.

[fxcoudert]

When updating these formulae, if there isn't a new version available to bump the version at the same time, should we bump the revision?

No. As the formulas are currently working, we don't want to force the new binaries on all users, so no revision bump.

[samford]

Out of curiosity, are new bottles published after a formula modification without a revision bump? That is, if a user newly installs a formula after the --locked flag has been added, will they receive a bottle that was built with the --locked flag present?

Besides the demonstrated issue with broken builds over time, my other concern was that without the --locked flag, the bottle may contain a binary that was built using newer crate versions (compared to what's in the lock file). In that case, the build may succeed without errors and the binary may appear to work properly but it wouldn't be an accurate representation of what was intended for that version release.

I'll respect this decision regardless but I felt I would be remiss not to clarify this further.

[jonchang]

Out of curiosity, are new bottles published after a formula modification without a revision bump? That is, if a user newly installs a formula after the --locked flag has been added, will they receive a bottle that was built with the --locked flag present?

This is possible; you can tell because the formulae will have rebuild 1 or similar in bottle blocks.

[fxcoudert]

Bottles are systematically rebuilt as part of testing a pull request. Whether the new bottles are published depends on the maintainer's choice when merging, whether they decided to pull the bottles as well during the merge… we almost always do.

[chenrui333]

Besides nushell.rb (which currently builds on top of beta rust release) and rust.rb, I think every rust formula which has cargo.lock have been addressed.

cc @samford @fxcoudert

[fxcoudert]

Thanks to everyone involved!