-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make more cargo-as-a-library functions pub
#10414
Conversation
r? @ehuss (rust-highfive has picked a reviewer for you, use r? to override) |
This allows tools that consume Cargo as a library to locate a `std` Workspace without _also_ having to resolve it and possibly download all of its dependencies (as `resolve_ws_with_opts` does).
Many of these functions were already `pub`, but weren't re-exported by a `pub` module. These functions help users who consume Cargo as a library if they want to implement variants of `cargo install` themselves.
Previously, users consuming Cargo as a library had to either use the very low-level `resolve_with_previous`, or the "do everything" `resolve_ws_with_opts`, which includes downloading the source tarballs of most crates in the resolved dependency closure. This patch exposes a version of `resolve_ws_with_opts` that does everything _up to_ anything that requires a source tarball download, as well as `resolve_registry`, which is a building block of other resolver functions that may be of use.
These changes seem to be a little more intrusive than I would like to include. I'm fine with adding the occasional |
Sure! So, the build setting here is one where there is no network access for any part of the build pipeline, except for a particular service that allows fetching allow-listed artifacts. For a given build, the build system has access to a Rust toolchain, the source code of the crate to build, a handle to the artifact service, and a copy of the crates.io index metadata (basically https://github.com/rust-lang/crates.io-index). To build, the build system generates a So, for why it can't just download, it's prevented by the network sandbox, which is there for security isolation. We don't want builds to be able to fetch arbitrary things from the internet, and we also don't want builds to be able to send information out either. As for why not vendor, it's not clear who would do the vendoring. It would require that developers working on Rust crates would always need to vendor their dependencies into the git repository for their crates from, say, their developer environments, which is not only extra work, but also tends to lead to those dependencies to grow stale over time as developers won't think to re-vendor periodically. The current solution is effectively invisible to developers, yet gives both sandboxing and avoids the need for developers to think about vendoring or be bound by its downsides. I'm not entirely sure how Where |
As a separate observation, I think the
What do you think of changing it to just take |
@jonhoo would a cargo subcommand to ensure all of the crates have been downloaded and then doing all other operations with I have several use cases revolving around the index and accessing crate source. So far I've been using a mix of I could see this having a |
I think the answer to my question is tied into this
Wouldn't you run Similarly, |
That's basically what I've been writing — a Cargo subcommand that computes a The challenge lies in implementing that subcommand, since Cargo doesn't currently expose the necessary bits in its library to just resolve (hence this PR). If there was a Cargo subcommand that just printed out the entire
Nothing gets to run outside of the sandbox is the simple answer. The slightly more convoluted answer is that there is a separate service that downloads basically every |
So if I'm understanding correctly, the big issue is that you have a custom index / artifact repository that is available to the sandbox that you need to implement fetching support for because cargo doesn't understand how to. Its in this code that you are resolving and doing all of the other steps. Whats preventing creating a registry facade around this artifact repository so you just take advantage of all of cargo's existing functionality? |
It's not impossible to do so, but it's a real mess since Cargo requires "real" registries to be git-based. It'd be a whole lot easier (and likely what I'll end up doing) once we get HTTP registry support :) |
Thanks for taking the time to help me understand where you are coming from with this. So if I understand it, you are facing the trade off between
|
Exactly right. And 1) I've already discarded as being too much of a hassle to be worth it especially since it'll be thrown away once we get HTTP registries, 2) is actually not that bad modulo the fact that I have to copy-paste a small number of Cargo functions that aren't exposed as |
☔ The latest upstream changes (presumably #10129) made this pull request unmergeable. Please resolve the merge conflicts. |
Closing due to inactivity. If there are requests for exposing more of cargo's API, feel free to create an issue. |
What does this PR try to resolve?
Crates that want to consume Cargo as a library and implement their own functionality on top of it will often want to do some of what Cargo does, but not all of it. Often, this requires copy-pasting a bunch of code from Cargo since the "high level" functions do too much, and the "mid level" functions aren't
pub
. This PR marks a few more mid-level Cargo operationspub
.Additional information
The things I've made
pub
here are all functions that I currently have copies of in a (sadly private) code base that wraps Cargo for certain operations. The primary reason for many of them is that I'm working in a sandboxed environment where Cargo'sdownload_accessible
will not work. Instead, I construct a local registry that is populated by a binary that uses Cargo as a library by walkingResolve
s and downloading each indicated crate version through a specially-allowed ingest mechanism.