Bug#1094199: dh-rust: installs lib crates in non-deterministic and fallable order

Fri, 07 Feb 2025 12:15:13 -0800 

Package: dh-rust
Version: 0.0.10
Followup-For: Bug #1094199
X-Debbugs-Cc: noisyc...@tutanota.com, jo...@jones.dk, ben...@debian.org

To illustrate my point I wrote a patch for `cargo package`, in attachment. I
found out that the point of failure is `cargo package` trying to either verify
or generate the package's Cargo.lock, which needs all dependencies to be in the
registry in order to (at least) verify/compute checksums. The patch adds a
new `--no-lock` option that disables Cargo.lock generation/verification.
Building cargo with that patch and using the --no-lock option in dh-rust solves
the ordering issue (installed packages are not looked for so the ordering issue
disappears), and axum, bounded-static, wasmtime and curve25519-dalek build
successfully. Moreover, library packages can be built with the nocheck profile
even with no build dependencies for the same reason (tested with async-std),
showing that the underlying issue is in fact the same as Bug #1094483.

>From 475f2bf42e577d93ed524848d7862d6afd857a6f Mon Sep 17 00:00:00 2001
From: NoisyCoil <noisyc...@tutanota.com>
Date: Fri, 7 Feb 2025 19:59:52 +0100
Subject: [PATCH] Add a `no-lock` option to `cargo package`

---
 src/bin/cargo/commands/package.rs |  2 ++
 src/cargo/ops/cargo_package.rs    | 16 +++++++++++++---
 src/cargo/ops/registry/publish.rs |  1 +
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/bin/cargo/commands/package.rs 
b/src/bin/cargo/commands/package.rs
index 251fa28..bf38c01 100644
--- a/src/bin/cargo/commands/package.rs
+++ b/src/bin/cargo/commands/package.rs
@@ -26,6 +26,7 @@ pub fn cli() -> Command {
             "allow-dirty",
             "Allow dirty working directories to be packaged",
         ))
+        .arg(flag("no-lock", "Do not create or verify the lockfile"))
         .arg_silent_suggestion()
         .arg_package_spec_no_all(
             "Package(s) to assemble",
@@ -79,6 +80,7 @@ pub fn exec(gctx: &mut GlobalContext, args: &ArgMatches) -> 
CliResult {
             list: args.flag("list"),
             check_metadata: !args.flag("no-metadata"),
             allow_dirty: args.flag("allow-dirty"),
+            no_lock: args.flag("no-lock"),
             to_package: specs,
             targets: args.targets()?,
             jobs: args.jobs()?,
diff --git a/src/cargo/ops/cargo_package.rs b/src/cargo/ops/cargo_package.rs
index 30445b8..4865b57 100644
--- a/src/cargo/ops/cargo_package.rs
+++ b/src/cargo/ops/cargo_package.rs
@@ -40,6 +40,7 @@ pub struct PackageOpts<'gctx> {
     pub list: bool,
     pub check_metadata: bool,
     pub allow_dirty: bool,
+    pub no_lock: bool,
     pub verify: bool,
     pub jobs: Option<JobsConfig>,
     pub keep_going: bool,
@@ -99,6 +100,7 @@ fn create_package(
     pkg: &Package,
     ar_files: Vec<ArchiveFile>,
     local_reg: Option<&TmpRegistry<'_>>,
+    no_lock: bool,
 ) -> CargoResult<FileLock> {
     let gctx = ws.gctx();
     let filecount = ar_files.len();
@@ -122,7 +124,7 @@ fn create_package(
     gctx.shell()
         .status("Packaging", pkg.package_id().to_string())?;
     dst.file().set_len(0)?;
-    let uncompressed_size = tar(ws, pkg, local_reg, ar_files, dst.file(), 
&filename)
+    let uncompressed_size = tar(ws, pkg, local_reg, ar_files, dst.file(), 
&filename, no_lock)
         .context("failed to prepare local package for uploading")?;
 
     dst.seek(SeekFrom::Start(0))?;
@@ -202,6 +204,7 @@ fn do_package<'a>(
         .as_path_unlocked()
         .join(LOCKFILE_NAME)
         .exists()
+        && !opts.no_lock
     {
         // Make sure the Cargo.lock is up-to-date and valid.
         let dry_run = false;
@@ -249,7 +252,7 @@ fn do_package<'a>(
                 drop_println!(ws.gctx(), "{}", ar_file.rel_str);
             }
         } else {
-            let tarball = create_package(ws, &pkg, ar_files, 
local_reg.as_ref())?;
+            let tarball = create_package(ws, &pkg, ar_files, 
local_reg.as_ref(), opts.no_lock)?;
             if let Some(local_reg) = local_reg.as_mut() {
                 if pkg.publish() != &Some(Vec::new()) {
                     local_reg.add_package(ws, &pkg, &tarball)?;
@@ -893,6 +896,7 @@ fn tar(
     ar_files: Vec<ArchiveFile>,
     dst: &File,
     filename: &str,
+    no_lock: bool,
 ) -> CargoResult<u64> {
     // Prepare the encoder and its header.
     let filename = Path::new(filename);
@@ -943,7 +947,13 @@ fn tar(
             FileContents::Generated(generated_kind) => {
                 let contents = match generated_kind {
                     GeneratedFile::Manifest => 
publish_pkg.manifest().to_normalized_contents()?,
-                    GeneratedFile::Lockfile => build_lock(ws, &publish_pkg, 
local_reg)?,
+                    GeneratedFile::Lockfile => {
+                        if no_lock {
+                            continue;
+                        } else {
+                            build_lock(ws, &publish_pkg, local_reg)?
+                        }
+                    }
                     GeneratedFile::VcsInfo(ref s) => 
serde_json::to_string_pretty(s)?,
                 };
                 header.set_entry_type(EntryType::file());
diff --git a/src/cargo/ops/registry/publish.rs 
b/src/cargo/ops/registry/publish.rs
index de0f9ac..476ec0d 100644
--- a/src/cargo/ops/registry/publish.rs
+++ b/src/cargo/ops/registry/publish.rs
@@ -146,6 +146,7 @@ pub fn publish(ws: &Workspace<'_>, opts: &PublishOpts<'_>) 
-> CargoResult<()> {
             list: false,
             check_metadata: true,
             allow_dirty: opts.allow_dirty,
+            no_lock: false,
             // `package_with_dep_graph` ignores this field in favor of
             // the already-resolved list of packages
             to_package: ops::Packages::Default,
-- 
2.48.1

Reply via email to