Misleading failure when using --frozen --offline with no Cargo.lock

[QSchulz]

Problem

Trying to build a crate with:

cargo build --frozen --offline

when no Cargo.lock file is provided in the crate source repository leads to the following error message:

error: the lock file /path/to/Cargo.lock needs to be updated but --frozen was passed to prevent this
If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead.

which is either misleading or a bad suggestion (e.g. reproducible builds desired but Cargo.lock was forgotten).

On a side note, how this error message is formulated is confusing to me. Why would a Cargo.lock need to be updated if I pass --locked to it? Isn't it the whole point of --locked (or --frozen) to use possibly outdated but fixed-version crates? This suggests the user needs to fix something with their Cargo.lock. FWIW, the docs (https://doc.rust-lang.org/cargo/commands/cargo-build.html#manifest-options) do mention that if Cargo.lock file is missing cargo build will fail but the error message mislead me in believing my Cargo.lock file was outdated (whatever that means) instead of just having forgotten to push it. Still the docs do not provide more info on what needs to be done to make sure my Cargo.lock file is up-to-date.

Disclaimer: I integrate SW in build systems and have virtually no experience with cargo and rust at the moment.

Steps

No response

Possible Solution(s)

Check on Cargo.lock file presence when --locked or --frozen is passed. If missing, error out stating that in order to use --locked or --frozen a Cargo.lock file needs to be provided.

Notes

This was discovered for a project of mine when trying to build it with Buildroot using the cargo-pkg package type, c.f. https://git.busybox.net/buildroot/tree/package/pkg-cargo.mk#n101 where --offline and --locked are passed.

Version

No response

[epage]

On a side note, how this error message is formulated is confusing to me. Why would a Cargo.lock need to be updated if I pass --locked to it? Isn't it the whole point of --locked (or --frozen) to use possibly outdated but fixed-version crates?

--locked and --frozen aren't about using what current exists but enforcing what currently exists is viable

        --frozen                     Require Cargo.lock and cache are up to date
        --locked                     Require Cargo.lock is up to date

(keyword being "Require")

The problem is the current lockfile is incompatible with the manifests which is why it needs to be updated. For example, if a manifest has a new dependency or a version requirement was changed to be incompatible with the lock file.

With a flag like --frozen, there are two choices

1. Ignore the lockfile and operate off of the in-memory version we would write out
2. Error because we can't respect the lock file

There might be cases where someone wants (1) but (2) is the more correct default because

• The lock file is the de facto standard of truth (if nothing else, for traceability) and if you can't use it, thats an error
• This gives people a mechanism to verify their lock file

which is either misleading or a bad suggestion (e.g. reproducible builds desired but Cargo.lock was forgotten).
...
Check on Cargo.lock file presence when --locked or --frozen is passed. If missing, error out stating that in order to use --locked or --frozen a Cargo.lock file needs to be provided.

The problem is that Cargo doesn't know your intention, just that the lock file doesn't line up with what Cargo expects for it. The wording could be specialized from saying "updated" in all cases to either saying "created" or "updated". I'm having a hard time seeing how we could improve the remediation so it works in all contexts. Saying the lock file "needs to be provided" is misleading in the local development case.

[leighmcculloch]

Given that --locked and --frozen both require a Cargo.lock to not only be updated, but to be present, it seems reasonable to say that the file is required but missing, or not present, when the file does not exist when these options are used.

[qknight]

I wanted to use trunk in 0.17.5 and needed to replace --frozen with --offline to make the build work.

cargo supports these:

      --frozen              Require Cargo.lock and cache are up to date
      --locked              Require Cargo.lock is up to date
      --offline             Run without accessing the network

error without my patch in nixpkgs or trunk/default.nix

this derivation will be built:
  /nix/store/xijny7a5y78zizn2ylfka5q8z5ava073-trunk-0.17.5.drv
building '/nix/store/xijny7a5y78zizn2ylfka5q8z5ava073-trunk-0.17.5.drv'...
unpacking sources
unpacking source archive /nix/store/wbrl5ilhb7wmmphyqimy78s48vvi1aq1-source
source root is source
Executing cargoSetupPostUnpackHook
unpacking source archive /nix/store/ni0syvy41kzp6l4ybm61nwdydl3iwr96-trunk-0.17.5-vendor.tar.gz
Finished cargoSetupPostUnpackHook
patching sources
Executing cargoSetupPostPatchHook
Validating consistency between /build/source//Cargo.lock and /build/trunk-0.17.5-vendor.tar.gz/Cargo.lock
Finished cargoSetupPostPatchHook
configuring
building
Executing cargoBuildHook
++ env CC_x86_64-unknown-linux-gnu=/nix/store/a64w6zy8w9hcj6b4g5nz0dl6zyd24c1x-gcc-wrapper-11.3.0/bin/cc CXX_x86_64-unknown-linux-gnu=/nix/store/a64w6zy8w9hcj6b4g5nz0dl6zyd24c1x-gcc-wrapper-11.3.0/bin/c++ CC_x86_64-unknown-linux-gnu=/nix/store/a64w6zy8w9hcj6b4g5nz0dl6zyd24c1x-gcc-wrapper-11.3.0/bin/cc CXX_x86_64-unknown-linux-gnu=/nix/store/a64w6zy8w9hcj6b4g5nz0dl6zyd24c1x-gcc-wrapper-11.3.0/bin/c++ cargo build -j 16 --target x86_64-unknown-linux-gnu --frozen --release --offline
error: the lock file /build/source/Cargo.lock needs to be updated but --frozen was passed to prevent this
If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead.
error: builder for '/nix/store/xijny7a5y78zizn2ylfka5q8z5ava073-trunk-0.17.5.drv' failed with exit code 101;
       last 10 log lines:
       > patching sources
       > Executing cargoSetupPostPatchHook
       > Validating consistency between /build/source//Cargo.lock and /build/trunk-0.17.5-vendor.tar.gz/Cargo.lock
       > Finished cargoSetupPostPatchHook
       > configuring
       > building
       > Executing cargoBuildHook
       > ++ env CC_x86_64-unknown-linux-gnu=/nix/store/a64w6zy8w9hcj6b4g5nz0dl6zyd24c1x-gcc-wrapper-11.3.0/bin/cc CXX_x86_64-unknown-linux-gnu=/nix/store/a64w6zy8w9hcj6b4g5nz0dl6zyd24c1x-gcc-wrapper-11.3.0/bin/c++ CC_x86_64-unknown-linux-gnu=/nix/store/a64w6zy8w9hcj6b4g5nz0dl6zyd24c1x-gcc-wrapper-11.3.0/bin/cc CXX_x86_64-unknown-linux-gnu=/nix/store/a64w6zy8w9hcj6b4g5nz0dl6zyd24c1x-gcc-wrapper-11.3.0/bin/c++ cargo build -j 16 --target x86_64-unknown-linux-gnu --frozen --release --offline
       > error: the lock file /build/source/Cargo.lock needs to be updated but --frozen was passed to prevent this
       > If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead.
       For full logs, run 'nix log /nix/store/xijny7a5y78zizn2ylfka5q8z5ava073-trunk-0.17.5.drv'.

my proposal

i only checked with trunk, not checked if all the other crates would work.

trunk/default.nix

{ lib, rustPlatform, fetchFromGitHub, pkg-config, openssl, libiconv }:

rustPlatform.buildRustPackage rec {
  pname = "trunk";
  version = "0.17.5";

  src = fetchFromGitHub {
    owner = "thedodd";
    repo = "trunk";
    rev = "v${version}";
    sha256 = "sha256-CRlSHOT4hMblfaTcX9Y2BN52RYjDSLaanoxOMccff40=";#sha256-/XVDjKK1Kv7Hk3RUf4v9PEGwarUGzj3+96mZoCKrUEw=";
  };

  nativeBuildInputs = [ pkg-config ];
  buildInputs = [ openssl ];

  # requires network
  checkFlags = [ "--skip=tools::tests::download_and_install_binaries" ];

  cargoSha256 = "sha256-WZ9EOQ00pOTqlO9G/Q58QMU2BMFfMY6JtTVzmMMKfys=";
  cargoBuildIgnoreFrozenFlag = true;
  cargoBuildFlags = [ "--offline" ];

  meta = with lib; {
    homepage = "https://github.com/thedodd/trunk";
    description = "Build, bundle & ship your Rust WASM application to the web";
    maintainers = with maintainers; [ freezeboy ];
    license = with licenses; [ asl20 ];
  };
}

nixpkgs

On the nixpkgs side I added a new option cargoBuildIgnoreFrozenFlag which is normally not set, so legacy --forzen is applied. But for newer revisions it can be used to remove --frozen and then the user can set whatever flags he wants with the already supported cargoBuildFlags.

PS C:\Users\joschie\Desktop\Projects\nixpkgs> git diff
diff --git a/pkgs/build-support/rust/hooks/cargo-build-hook.sh b/pkgs/build-support/rust/hooks/cargo-build-hook.sh
index 7503fae4cd7f..bfec1e35ed1f 100644
--- a/pkgs/build-support/rust/hooks/cargo-build-hook.sh
+++ b/pkgs/build-support/rust/hooks/cargo-build-hook.sh
@@ -1,4 +1,5 @@
 declare -a cargoBuildFlags
+declare -a cargoBuildIgnoreFrozenFlag

 cargoBuildHook() {
     echo "Executing cargoBuildHook"
@@ -24,6 +25,10 @@ cargoBuildHook() {
         cargoBuildFeaturesFlag="--features=${cargoBuildFeatures// /,}"
     fi

+    if [ "${cargoBuildIgnoreFrozenFlag}" != "1" ]; then
+        cargoBuildFlags="--frozen ${cargoBuildFlags}"
+    fi
+
     (
     set -x
     env \
@@ -33,7 +38,6 @@ cargoBuildHook() {
       "CXX_@rustTargetPlatform@=@cxxForHost@" \
       cargo build -j $NIX_BUILD_CORES \
         --target @rustTargetPlatformSpec@ \
-        --frozen \
         ${cargoBuildProfileFlag} \
         ${cargoBuildNoDefaultFeaturesFlag} \
         ${cargoBuildFeaturesFlag} \

There are ~30 usages of cargoBuildFlags in nixpkgs in this checkout.

I am on 22.05.4694.380be19fbd2d (Quokka).

shell.nix

let
  rust_overlay = import (fetchTarball "https://github.com/oxalica/rust-overlay/archive/master.tar.gz");
  pkgs1 = import <nixpkgs> { overlays = [ rust_overlay ]; };

  rust = pkgs1.rust-bin.stable.latest.default.override {
    extensions = [ "rustfmt" "clippy" ];
    targets = [
      "x86_64-unknown-linux-musl"
      "wasm32-unknown-unknown"
    ];
  };
  myRustPlatform = pkgs1.makeRustPlatform {
    cargo = pkgs1.rust-bin.stable.latest.minimal;
    rustc = pkgs1.rust-bin.stable.latest.minimal;
  };
  mytrunk = pkgs1.callPackage ./trunk/default.nix { rustPlatform=myRustPlatform; };
in
  with pkgs1;
  mkShell {
    buildInputs = [
      mytrunk
      rust
      git
      pkg-config
      just                     # task runner
      nodePackages.tailwindcss # build CSS files
      nodejs                   # required to install tailwind plugins
    ];
    SQLITE3_DIR = "${sqlite.dev}";
    SQLITE3_LIB_DIR = "${sqlite.out}/lib";
    SQLITE3_INCLUDE_LIB_DIR = "${sqlite.out}/include";
}