-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot patch underspecified git dependency #7670
Comments
Related: #7497 |
I just ran into this issue too. Our use case: we have a project using the Rust SGX forks of serde and serde-json, like this: [dependencies]
serde = { git = "https://github.com/mesalock-linux/serde-sgx", tag = "sgx_1.1.3" }
serde_json = { git = "https://github.com/mesalock-linux/serde-json-sgx", tag = "sgx_1.1.3" } However, serde-json-sgx references the serde-sgx repository without the tag (source): [dependencies]
serde = { git = "https://github.com/mesalock-linux/serde-sgx" } Both references resolve to the same git revision, but because the git tag reference differs, Cargo resolves and builds them as different crate versions, which causes hard-to-understand build failures due to our project referring to different instances of the serde traits than serde_json does. I tried the following patch to override serde-json-sgx's dependency to match our project's, but it failed with the same "points to the same source" error message as above: [patch."https://github.com/mesalock-linux/serde-sgx"]
serde = { git = "https://github.com/mesalock-linux/serde-sgx.git", tag = "sgx_1.1.3" } For now, our workaround is to make sure that our project's reference to the serde-sgx repository matches that of serde-json-sgx exactly: serde = { git = "https://github.com/mesalock-linux/serde-sgx" }
serde_json = { git = "https://github.com/mesalock-linux/serde-json-sgx", tag = "sgx_1.1.3" } This fixes the issue, but it's fragile. It would be nice to be able to use a patch entry to override this more reliably. |
This issue is either a duplicate of, or related to, #5478. |
Closing in favor of #5478. If there is a reason for us to re-evaluate this, let us know! |
Problem
When you have a very large codebase with a lot of crates that you vendor (cough cough Firefox), you may want to avoid surprise updates from indirect dependencies using underspecified git dependencies (as in, a dependency on a crate using a git repo without a specific revision).
While you can patch the git dependency with a different repo with a specific revision, it doesn't appear to be possible to patch only adding the specific revision.
Steps
cargo new foo
foo/Cargo.toml
to add:cargo new bar
bar/Cargo.toml
to add:cargo build
This fails with
Using
instead works.
Possible Solution(s)
I think when the source is the same, but comes with more information, or changed information, the patch should be allowed.
More information as the above example (there was no rev originally, one was added)
Changed information as in:
bar/Cargo.toml
foo/Cargo.toml
should be allowed. Or
bar/Cargo.toml
foo/Cargo.toml
Or a different branch, or whatever. That is, you shouldn't have to fork the repository to change the revision that is going to be used.
The text was updated successfully, but these errors were encountered: