On 15/03/2019 14:31, Xidorn Quan wrote:
Servo has a policy banning duplicate dependencies with a whitelist,
and such list currently has:
This exact allow-list is not part of Servo’s policy, but is constantly
evolving. If you can reduce it (typically by updating some intermediate
dependencies to versions that use e.g. log 0.4 instead of 0.3), this is
great and we love you.
If you add a new exception to the allow-list, in review we will ask that
you make some effort to avoid doing so. If the effort turns out to be
disproportionate (for example: many intermediate dependencies are
affected, and they in turn would affect other crates in the graph) or if
we want to avoid waiting too long on upstream (because a patch is at
risk of bitrotting, or blocks other work, or…) then we may accept
growing the list.
The important part is that machine-verification avoids accidentally
adding new duplications.
On 15/03/2019 15:38, Andreas Tolfsen wrote:
It is my experience that far
too many dependencies are defined on exact version numbers, e.g.
"log = 0.3.9", which effectively forces us to vendor that exact
version in-tree.
It does not force that.
Specifying `log = "0.3.9"` in Cargo.toml’s [dependencies] section is
equivalent to `log = "^0.3.9"` which is equivalent to `log = ">=0.3.9 <
0.4.0"`.
So if a project uses crates A with the above and crate B with `log =
"0.3.12"`, then version 0.3.15 is acceptable to satisfy both dependencies.
What would force an exact version is `log = "=0.3.9"`. (Note that the
first equal sign is TOML syntax for key/value pairs, while the second
one is part of the version specification string, inside the quotes.)
See https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
--
Simon Sapin
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform