Respect rust-version when selecting a version for cargo install
#10903
Comments
epage
added
Command-install
C-feature-request
|
This is blocked on |
|
While I generally very much support supporting older Rust versions, I worry about how this would (not silently but) quietly give users insecure versions of programs, in the absence of either integration with RustSec or a culture of yanking insecure versions (which I would hope would be blocked on having a way to bypass yankedness for e.g. |
|
Our choices are
Maybe I'm missing some use cases but I personally have little sympathy for the security side of this. If the error just leads them to selecting an old version anyways, did we really help them with security? How do we know the newest version is any more secure than the older version? This also isn't too different than if someone had |
weihanglo
added
S-blocked-external
feat: Add `-Zmsrv-policy` feature flag ### What does this PR try to resolve? Nothing noticeable.... The intent is to unblock experiments with different compatible MSRV policies like - #9930 - #10653 - #10903 While I normally don't like PRs that do nothing on their own, this at least allows any one of those efforts to move forward with different people without juggling these base commits for whoever is first to include in their PR While there isn't an RFC for this yet, this is intended to allow us to experiment to get a better idea of what we should put in an RFC. In some cases, we first do an eRFC for this but I assumed this wouldn't be needed in this case as this builds on rust-lang/rfcs#2495 and, I'm assuming, will be more surgical in nature ### How should we test and review this PR? The `Summary` changes are largely untested as they will be mostly tested through the future work that builds on this PR. However, I wasn't too concerned about that because the code is relatively trivial. ### Additional information I chose the name `msrv-policy` to distinguish this unstable feature from `rust-version`. Though those appear in different places (`Cargo.toml` vs `-Z`), I can see them being confusing which was especially apparent when editing `unstable.md` which has an anchor for `rust-version`.
|
Thoughts I had from a discussion with Ed: My inclination here is to have
Improving the error instead helps the average user (instructing them to upgrade their Rust version), but also the less common user (giving them a path forward to install with their current Rust version). |
|
"programs you run" is a little different than "project dependencies" and can more likely be ahead. I also understand the problem of Telling the user what version they can install would be a good first step for improving the error message. As that is just UX, we can do that without putting it behind the |
epage
removed
the
S-blocked-external
|
FYI #12553 should make further MSRV work a bit easier |
The next step would be to also automatically install an MSRV compatible version if compatible with the version req (rust-lang#10903). This improved error message will still be useful if the MSRV compatible version is outside of the version req. I did this as the first step - Helps people now, not needing to wait on `-Zmsrv-policy` to be stabilized - Has fewer questions on how it should be done (or if it should be)
The next step would be to also automatically install an MSRV compatible version if compatible with the version req (rust-lang#10903). This improved error message will still be useful if the MSRV compatible version is outside of the version req. I did this as the first step - Helps people now, not needing to wait on `-Zmsrv-policy` to be stabilized - Has fewer questions on how it should be done (or if it should be)
The next step would be to also automatically install an MSRV compatible version if compatible with the version req (rust-lang#10903). This improved error message will still be useful if the MSRV compatible version is outside of the version req. I did this as the first step - Helps people now, not needing to wait on `-Zmsrv-policy` to be stabilized - Has fewer questions on how it should be done (or if it should be)
fix(install): Suggest an alternative version on MSRV failure ### What does this PR try to resolve? Moves users from a bad error message, suggesting `--locked` which won't do anything, to suggesting a version of a package to use instead. The side benefit is errors get reported sooner - Before downloading the `.crate` - When installing multiple packages, before building the first This comes at the cost of an extra `rustc` invocation. ### How should we test and review this PR? Per-commit this builds it up, from tests to the final design. ### Additional information This is also written in a way to align fairly well with how we'd likely implement #10903. This improved error message will still be useful after that issue is resolved when the MSRV compatible version is outside of the version req.
Is it possible to implement Will this be the default when stable, or is it opt in, behind resolver 3 (#9930)? |
|
|
|
I would really love if there is at least a flag, |
When running
cargo install foo, if my rust version is too old, I'll get compilation errors. If the failing crate setsrust-version, then I'll get a nice error message about it but no path forward for fixing it. #10891 adds a path forward forcargo installwhen the failure is in a dependency but not when its in the crate itself that is being installed.Ideally,
cargo installwill select an older version (with a warning) that is compatible with my toolchain. As a step back from the ideal, I'd get an error with corrective steps (ideally, telling me what version to use).The text was updated successfully, but these errors were encountered: