-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependencies resolution with --minimal-versions
#5657
Comments
I would like to cc some persons:
I'd like to see us come to a shared understanding of what we would recommend users do with this feature both at rollout and at steady state in the idealized future.
I think we are all in the middle, and probably closer than we think, we just need to articulate it. To start it off I will propose a position as a strawman, so you can point out where I am wrong. All crates should try |
I'm currently not that interested in how strongly we should impose this option on the ecosystem. First we should make the minimal-versions option work properly. Not even cargo itself can be compiled with minimal-versions as explored in #5275. Repeating the open points here:
|
Well one small peace is done. At this time |
Oh cool, that is good news! The inconsistent crates.io registry is still a problem. @alexcrichton said in rust-lang/crates.io#7310 that getting minimal-versions to work smoothly was not a priority then, so he didn't want to mass update the creates.io index. Is that still the assumption? @SimonSapin argued that people will always use old cargo publish versions and by that make the crates.io registry inconsistent again. In order to prevent that we would have to implement server side rules on crates.io to prevent entries without For experimenting I'm maintaining a crates.io registry fork, that I update very irregularly. It has the
|
That is one of the questions I think we need to address. :-) Hopefully, @alexcrichton and @matklad will have a chance soon to articulate what there current thoughts are. What we decided to recommend needs to work and fairly smoothly. That means that if there are hard changes that need to be made to make it work then we need to be willing to do them. Correspondingly if we are not willing to make the big changes then we need to recommend something smaller. Big changes may include some or all of:
Recommend something smaller may include some or all of:
|
I think we'll definitely want to get this working with the main index, and I think we probably just want to keep going as-is, fixing up crates and publishing them as we discover mismatches. In that sense I think it might be good to do some more work to get some of the "base crates" working and then perhaps make a post on internals asking for testers so we can discover new crates and publish new versions |
Earlier versions of pkg-config don't build with any post-1.0 rust compiler. This is an attempt to get lmdb, and some non-trivial crates which depend on it, building with `-Z minimal-versions`. See rust-lang/cargo#5657 for more information.
This allows tokio-signal to build with `-Z minimal-versions` - see rust-lang/cargo#5657 (comment) for more details. Earlier versions depend on log 0.3.1, which itself depends on libc 0.1, which doesn't build on any post-1.0 version of rust.
I got a non-trivial crate (https://github.com/pantsbuild/pants/tree/c8b42cb52eca9acbca98eaaf9599a47bc7b1f51e/src/rust/engine) compiling with My two big questions from this process are:
|
@illicitonion nice! Those are indeed good questions too :). You can somewhat force the process by having some crate have a higher version bound (aka requiring |
Actually I quite like the suggestion,
I don't think "try to send a PR to the crate and get a new version published" reduces the usability, I think it is begging the question "If a transitive dependency is the only problem with an otherwise functioning dependency, and which doesn't respond to PRs, what should people do?". |
A snag I've now thought of as well: from time to time crates will break due to language/compiler changes, but we're generally pretty good about ensuring that the most recent version on crates.io always builds and point releases are updated. This means, however, that lots of crates' CI will break when that Rust version is published, because not everyone will say they require the newer version of the crate. |
@alexcrichton I think that depends on the CI setup. It seems to me that long-term the CI job with However, the day when your MSRV supports
|
@matklad in the meantime can it be done in one CI job now with |
Excellent idea @Eh2406! |
This is a list of foundational crates with versions that do not build on modern rust. Purging these from tomls is the "startup cost" of getting
I will keep this up to date as I find more, and one day make a |
So @dwijnand asked me to write up how do figure out what to do when a So hear gose.
|
Earlier versions of pkg-config don't build with any post-1.0 rust compiler. This is an attempt to get lmdb, and some non-trivial crates which depend on it, building with `-Z minimal-versions`. See rust-lang/cargo#5657 for more information.
This allows tokio-signal to build with `-Z minimal-versions` - see rust-lang/cargo#5657 (comment) for more details. Earlier versions depend on log 0.3.1, which itself depends on libc 0.1, which doesn't build on any post-1.0 version of rust.
I expanded all the comments on this issue and then did I recently had an issue with a project that uses So I thought "this is a job for So it seems like the I can work up a minimal reproduction of this problem in a repo if that would be helpful. |
I was hoping that |
FYI, it has been merged and released in cargo-minimal-versions 0.1.20. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Does I see:
To clarify: rustls has a dependency I would expect this to be fine: This is |
Direct-minimal-versions picks the minimum version for your dependencies (so 1.6). As a consequence, if it can't find a way for transitive dependencies on zeorize that are compatible with 1.6, it errors. It can't / shouldn't force aws-lc-rs to use 1.6 when it says it needs 1.7. |
Apologies, what I was expecting here was to use =1.6 for my immediate zeroize dependency, and then >=1.7 for aws-lc-rs. Sounds like I have misunderstood what the "direct" part of |
Why not give the dep 1.7 and the top-level crate 1.6? Or is this conservative based on "all dependencies may be public" logic and can only be broken with |
Cargo unifies versions both because they may be public and to reduce build times. We could evaluate allowing duplicates in the future after public dependencies are stabilized and widely used (currently blocked on bugs in the compiler with no one stepping up to fix) but we'd have to tread very carefully because of the build time impact. We could easily avoid unifying in places it doesn't make sense and slow things down a lot. |
Diagnostics when duplication of dependencies occurs may be appreciated anyways. Those using |
toml version `0.5.0` incorrectly specified serde version `1.0.0` as one of its dependencies, even though it does not work with with serde version `1.0.0`. This [was fixed](toml-rs/toml-rs#311) and released in version `0.5.2`. This commit updates the toml dependency to version `0.5.2`. Now `proc-macro-crate` builds fine with the cargo flag [`-Z minimal-versions`](rust-lang/cargo#5657).
toml version `0.5.0` incorrectly specified serde version `1.0.0` as one of its dependencies, even though it does not work with with serde version `1.0.0`. This [was fixed](toml-rs/toml-rs#311) and released in version `0.5.2`. This commit updates the toml dependency to version `0.5.2`. Now `proc-macro-crate` builds fine with the cargo flag [`-Z minimal-versions`](rust-lang/cargo#5657).
We discussed this in a recent Cargo team meeting. Use cases for minimal-version resolution
Once we have #9930, in theory that leaves "testing version requirements". An alternative solution to that is summed up as:
The idea is we try to transition the ecosystem over to #10498 by default so that manifests have your lockfile in it and has latest dependencies available. At that point, there are no versions more minimal than what is in This is blocked on
Potential problems with this
|
If we keep The
Maybe the way to expose |
Implementation PR: #5200Nightly: minimal-versions
Docs: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#minimal-versions
Issues: Z-minimal-versions
Steps:
Unresolved questions:
do we want to "impose" this feature on the ecosystem? Currently, everything seems to work fine due to eager dependency resolution. Adding
--minimal-versions
has costs: one-time ecosystem transition cost, cost to run CI job for minimal versions, cost to actually update minimal versions. There's anecdotal evidence that wrong minimal versions actually are a problem: https://www.reddit.com/r/rust/comments/8ob598/rust_minimum_versions_semver_is_a_lie/e027mtz/.should we implement "--minimal-versions-for-me-but-not-my-dependencies" as well, to make the initial roll-out of this feature easier?
Stabilization TODO:
-Z minimal-versions
to just--minimal-versions
and add it alongside--frozen/locked
,links
problem and solution.The text was updated successfully, but these errors were encountered: