2018-12-06 19:17:36 +00:00
|
|
|
use crate::support::git;
|
|
|
|
use crate::support::registry::Package;
|
|
|
|
use crate::support::{basic_manifest, lines_match, project};
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn oldest_lockfile_still_works() {
|
2018-03-14 15:17:44 +00:00
|
|
|
let cargo_commands = vec!["build", "update"];
|
2017-10-03 14:57:49 +00:00
|
|
|
for cargo_command in cargo_commands {
|
|
|
|
oldest_lockfile_still_works_with_command(cargo_command);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fn oldest_lockfile_still_works_with_command(cargo_command: &str) {
|
2018-07-20 17:41:44 +00:00
|
|
|
Package::new("bar", "0.1.0").publish();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-03-14 15:17:44 +00:00
|
|
|
let expected_lockfile = r#"[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "bar"
|
2017-11-12 17:57:05 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
|
|
|
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
2017-10-03 12:18:08 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
2018-07-20 17:41:44 +00:00
|
|
|
"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
2017-10-03 12:18:08 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
[metadata]
|
2018-07-20 17:41:44 +00:00
|
|
|
"checksum bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "[..]"
|
2017-10-03 12:18:08 +00:00
|
|
|
"#;
|
|
|
|
|
2018-03-14 15:17:44 +00:00
|
|
|
let old_lockfile = r#"[root]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
2018-07-20 17:41:44 +00:00
|
|
|
"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "bar"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
|
|
"#;
|
2016-08-25 08:34:25 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
r#"
|
2016-08-25 08:34:25 +00:00
|
|
|
[project]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
2016-08-25 08:34:25 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = "0.1.0"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "")
|
2017-10-30 19:56:46 +00:00
|
|
|
.file("Cargo.lock", old_lockfile)
|
|
|
|
.build();
|
2017-10-03 14:05:57 +00:00
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo(cargo_command).run();
|
2017-10-03 12:18:08 +00:00
|
|
|
|
2017-10-03 14:57:49 +00:00
|
|
|
let lock = p.read_lockfile();
|
|
|
|
for (l, r) in expected_lockfile.lines().zip(lock.lines()) {
|
|
|
|
assert!(lines_match(l, r), "Lines differ:\n{}\n\n{}", l, r);
|
2017-10-03 14:05:57 +00:00
|
|
|
}
|
2017-10-03 14:57:49 +00:00
|
|
|
|
|
|
|
assert_eq!(lock.lines().count(), expected_lockfile.lines().count());
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
}
|
|
|
|
|
2017-10-30 19:56:46 +00:00
|
|
|
#[test]
|
|
|
|
fn frozen_flag_preserves_old_lockfile() {
|
2018-07-20 17:41:44 +00:00
|
|
|
let cksum = Package::new("bar", "0.1.0").publish();
|
2017-10-30 19:56:46 +00:00
|
|
|
|
2017-11-29 01:44:25 +00:00
|
|
|
let old_lockfile = format!(
|
2017-10-30 19:56:46 +00:00
|
|
|
r#"[root]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
2017-10-30 19:56:46 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
2018-07-20 17:41:44 +00:00
|
|
|
"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
2017-10-30 19:56:46 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "bar"
|
2017-10-30 19:56:46 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
|
|
|
|
|
|
[metadata]
|
2018-07-20 17:41:44 +00:00
|
|
|
"checksum bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "{}"
|
2017-11-29 01:44:25 +00:00
|
|
|
"#,
|
2018-03-14 15:17:44 +00:00
|
|
|
cksum,
|
2017-11-29 01:44:25 +00:00
|
|
|
);
|
2017-10-30 19:56:46 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
r#"
|
2017-10-30 19:56:46 +00:00
|
|
|
[project]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
2017-10-30 19:56:46 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = "0.1.0"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "")
|
2017-11-29 01:44:25 +00:00
|
|
|
.file("Cargo.lock", &old_lockfile)
|
2017-10-30 19:56:46 +00:00
|
|
|
.build();
|
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo("build --locked").run();
|
2017-10-30 19:56:46 +00:00
|
|
|
|
|
|
|
let lock = p.read_lockfile();
|
|
|
|
for (l, r) in old_lockfile.lines().zip(lock.lines()) {
|
|
|
|
assert!(lines_match(l, r), "Lines differ:\n{}\n\n{}", l, r);
|
|
|
|
}
|
|
|
|
|
|
|
|
assert_eq!(lock.lines().count(), old_lockfile.lines().count());
|
|
|
|
}
|
|
|
|
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
#[test]
|
|
|
|
fn totally_wild_checksums_works() {
|
2018-07-20 17:41:44 +00:00
|
|
|
Package::new("bar", "0.1.0").publish();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
r#"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
[project]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = "0.1.0"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "")
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.lock",
|
|
|
|
r#"
|
2017-10-03 12:18:08 +00:00
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
2018-07-20 17:41:44 +00:00
|
|
|
"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "bar"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
|
|
|
|
|
|
[metadata]
|
|
|
|
"checksum baz 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "checksum"
|
2018-07-20 17:41:44 +00:00
|
|
|
"checksum bar 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "checksum"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
|
|
|
);
|
2016-08-25 08:34:25 +00:00
|
|
|
|
2017-07-22 03:12:21 +00:00
|
|
|
let p = p.build();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo("build").run();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2016-08-25 08:34:25 +00:00
|
|
|
let lock = p.read_lockfile();
|
2018-12-08 11:19:47 +00:00
|
|
|
assert!(lock.starts_with(
|
|
|
|
r#"
|
2017-10-03 12:18:08 +00:00
|
|
|
[[package]]
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
name = "bar"
|
2018-07-20 17:41:44 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
|
|
|
[[package]]
|
|
|
|
name = "foo"
|
2018-07-20 17:41:44 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
|
|
|
"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
|
|
|
]
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
|
|
|
[metadata]
|
2018-12-08 11:19:47 +00:00
|
|
|
"#
|
|
|
|
.trim()
|
|
|
|
));
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn wrong_checksum_is_an_error() {
|
2018-07-20 17:41:44 +00:00
|
|
|
Package::new("bar", "0.1.0").publish();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
r#"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
[project]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = "0.1.0"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "")
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.lock",
|
|
|
|
r#"
|
2017-10-03 12:18:08 +00:00
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
2018-07-20 17:41:44 +00:00
|
|
|
"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "bar"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
|
|
|
|
|
|
[metadata]
|
2018-07-20 17:41:44 +00:00
|
|
|
"checksum bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "checksum"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
|
|
|
);
|
2016-08-25 08:34:25 +00:00
|
|
|
|
2017-07-22 03:12:21 +00:00
|
|
|
let p = p.build();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo("build")
|
|
|
|
.with_status(101)
|
|
|
|
.with_stderr(
|
2018-03-14 15:17:44 +00:00
|
|
|
"\
|
2018-09-08 09:23:57 +00:00
|
|
|
[UPDATING] `[..]` index
|
2018-07-20 17:41:44 +00:00
|
|
|
error: checksum for `bar v0.1.0` changed between lock files
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
|
|
|
this could be indicative of a few possible errors:
|
|
|
|
|
|
|
|
* the lock file is corrupt
|
|
|
|
* a replacement source in use (e.g. a mirror) returned a different checksum
|
|
|
|
* the source itself may be corrupt in one way or another
|
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
unable to verify that `bar v0.1.0` is the same as when the lockfile was generated
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-03-14 15:17:44 +00:00
|
|
|
",
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.run();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// If the checksum is unlisted in the lockfile (e.g. <none>) yet we can
|
|
|
|
// calculate it (e.g. it's a registry dep), then we should in theory just fill
|
|
|
|
// it in.
|
|
|
|
#[test]
|
|
|
|
fn unlisted_checksum_is_bad_if_we_calculate() {
|
2018-07-20 17:41:44 +00:00
|
|
|
Package::new("bar", "0.1.0").publish();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
r#"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
[project]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = "0.1.0"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "")
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.lock",
|
|
|
|
r#"
|
2017-10-03 12:18:08 +00:00
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
2018-07-20 17:41:44 +00:00
|
|
|
"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "bar"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
|
|
|
|
|
|
[metadata]
|
2018-07-20 17:41:44 +00:00
|
|
|
"checksum bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "<none>"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
|
|
|
);
|
2017-07-22 03:12:21 +00:00
|
|
|
let p = p.build();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo("fetch")
|
|
|
|
.with_status(101)
|
|
|
|
.with_stderr(
|
2018-03-14 15:17:44 +00:00
|
|
|
"\
|
2018-09-08 09:23:57 +00:00
|
|
|
[UPDATING] `[..]` index
|
2018-07-20 17:41:44 +00:00
|
|
|
error: checksum for `bar v0.1.0` was not previously calculated, but a checksum \
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
could now be calculated
|
|
|
|
|
|
|
|
this could be indicative of a few possible situations:
|
|
|
|
|
|
|
|
* the source `[..]` did not previously support checksums,
|
|
|
|
but was replaced with one that does
|
|
|
|
* newer Cargo implementations know how to checksum this source, but this
|
|
|
|
older implementation does not
|
|
|
|
* the lock file is corrupt
|
|
|
|
|
2018-03-14 15:17:44 +00:00
|
|
|
",
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.run();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// If the checksum is listed in the lockfile yet we cannot calculate it (e.g.
|
|
|
|
// git dependencies as of today), then make sure we choke.
|
|
|
|
#[test]
|
|
|
|
fn listed_checksum_bad_if_we_cannot_compute() {
|
2018-07-20 17:41:44 +00:00
|
|
|
let git = git::new("bar", |p| {
|
2018-07-24 22:35:01 +00:00
|
|
|
p.file("Cargo.toml", &basic_manifest("bar", "0.1.0"))
|
2018-08-28 09:20:03 +00:00
|
|
|
.file("src/lib.rs", "")
|
2018-12-08 11:19:47 +00:00
|
|
|
})
|
|
|
|
.unwrap();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
&format!(
|
|
|
|
r#"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
[project]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = {{ git = '{}' }}
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
|
|
|
git.url()
|
|
|
|
),
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "")
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.lock",
|
|
|
|
&format!(
|
|
|
|
r#"
|
2017-10-03 12:18:08 +00:00
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
2018-07-20 17:41:44 +00:00
|
|
|
"bar 0.1.0 (git+{0})"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
[[package]]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "bar"
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "git+{0}"
|
|
|
|
|
|
|
|
[metadata]
|
2018-07-20 17:41:44 +00:00
|
|
|
"checksum bar 0.1.0 (git+{0})" = "checksum"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
|
|
|
git.url()
|
|
|
|
),
|
|
|
|
);
|
2016-08-25 08:34:25 +00:00
|
|
|
|
2017-07-22 03:12:21 +00:00
|
|
|
let p = p.build();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo("fetch")
|
|
|
|
.with_status(101)
|
|
|
|
.with_stderr(
|
2018-03-14 15:17:44 +00:00
|
|
|
"\
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
[UPDATING] git repository `[..]`
|
2018-07-20 17:41:44 +00:00
|
|
|
error: checksum for `bar v0.1.0 ([..])` could not be calculated, but a \
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
checksum is listed in the existing lock file[..]
|
|
|
|
|
|
|
|
this could be indicative of a few possible situations:
|
|
|
|
|
|
|
|
* the source `[..]` supports checksums,
|
|
|
|
but was replaced with one that doesn't
|
|
|
|
* the lock file is corrupt
|
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
unable to verify that `bar v0.1.0 ([..])` is the same as when the lockfile was generated
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
|
2018-03-14 15:17:44 +00:00
|
|
|
",
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.run();
|
Add sha256 checksums to the lockfile
This commit changes how lock files are encoded by checksums for each package in
the lockfile to the `[metadata]` section. The previous commit implemented the
ability to redirect sources, but the core assumption there was that a package
coming from two different locations was always the same. An inevitable case,
however, is that a source gets corrupted or, worse, ships a modified version of
a crate to introduce instability between two "mirrors".
The purpose of adding checksums will be to resolve this discrepancy. Each crate
coming from crates.io will now record its sha256 checksum in the lock file. When
a lock file already exists, the new checksum for a crate will be checked against
it, and if they differ compilation will be aborted. Currently only registry
crates will have sha256 checksums listed, all other sources do not have
checksums at this time.
The astute may notice that if the lock file format is changing, then a lock file
generated by a newer Cargo might be mangled by an older Cargo. In anticipation
of this, however, all Cargo versions published support a `[metadata]` section of
the lock file which is transparently carried forward if encountered. This means
that older Cargos compiling with a newer lock file will not verify checksums in
the lock file, but they will carry forward the checksum information and prevent
it from being removed.
There are, however, a few situations where problems may still arise:
1. If an older Cargo takes a newer lockfile (with checksums) and updates it with
a modified `Cargo.toml` (e.g. a package was added, removed, or updated), then
the `[metadata]` section will not be updated appropriately. This modification
would require a newer Cargo to come in and update the checksums for such a
modification.
2. Today Cargo can only calculate checksums for registry sources, but we may
eventually want to support other sources like git (or just straight-up path
sources). If future Cargo implements support for this sort of checksum, then
it's the same problem as above where older Cargos will not know how to keep
the checksum in sync
2016-02-03 19:04:07 +00:00
|
|
|
}
|
2016-08-20 21:27:06 +00:00
|
|
|
|
2016-08-22 23:59:31 +00:00
|
|
|
#[test]
|
|
|
|
fn current_lockfile_format() {
|
2018-07-20 17:41:44 +00:00
|
|
|
Package::new("bar", "0.1.0").publish();
|
2016-08-22 23:59:31 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
r#"
|
2016-08-22 23:59:31 +00:00
|
|
|
[package]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
2016-08-22 23:59:31 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = "0.1.0"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "");
|
2017-07-22 03:12:21 +00:00
|
|
|
let p = p.build();
|
2016-08-22 23:59:31 +00:00
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo("build").run();
|
2016-08-22 23:59:31 +00:00
|
|
|
|
2016-08-25 08:34:25 +00:00
|
|
|
let actual = p.read_lockfile();
|
2016-08-22 23:59:31 +00:00
|
|
|
|
|
|
|
let expected = "\
|
2017-10-03 12:18:08 +00:00
|
|
|
[[package]]
|
2016-08-22 23:59:31 +00:00
|
|
|
name = \"bar\"
|
2018-07-20 17:41:44 +00:00
|
|
|
version = \"0.1.0\"
|
|
|
|
source = \"registry+https://github.com/rust-lang/crates.io-index\"
|
2016-08-22 23:59:31 +00:00
|
|
|
|
|
|
|
[[package]]
|
|
|
|
name = \"foo\"
|
2018-07-20 17:41:44 +00:00
|
|
|
version = \"0.0.1\"
|
|
|
|
dependencies = [
|
|
|
|
\"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)\",
|
|
|
|
]
|
2016-08-22 23:59:31 +00:00
|
|
|
|
|
|
|
[metadata]
|
2018-07-20 17:41:44 +00:00
|
|
|
\"checksum bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)\" = \"[..]\"";
|
2016-08-22 23:59:31 +00:00
|
|
|
|
|
|
|
for (l, r) in expected.lines().zip(actual.lines()) {
|
|
|
|
assert!(lines_match(l, r), "Lines differ:\n{}\n\n{}", l, r);
|
|
|
|
}
|
|
|
|
|
|
|
|
assert_eq!(actual.lines().count(), expected.lines().count());
|
|
|
|
}
|
|
|
|
|
2016-08-20 21:27:06 +00:00
|
|
|
#[test]
|
|
|
|
fn lockfile_without_root() {
|
2018-07-20 17:41:44 +00:00
|
|
|
Package::new("bar", "0.1.0").publish();
|
2016-08-20 21:27:06 +00:00
|
|
|
|
|
|
|
let lockfile = r#"[[package]]
|
|
|
|
name = "bar"
|
2018-07-20 17:41:44 +00:00
|
|
|
version = "0.1.0"
|
|
|
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
2016-08-20 21:27:06 +00:00
|
|
|
|
|
|
|
[[package]]
|
|
|
|
name = "foo"
|
2018-07-20 17:41:44 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
dependencies = [
|
|
|
|
"bar 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
|
|
|
]
|
2016-08-20 21:27:06 +00:00
|
|
|
"#;
|
2016-08-25 08:34:25 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
r#"
|
2016-08-25 08:34:25 +00:00
|
|
|
[package]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
2016-08-25 08:34:25 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = "0.1.0"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "")
|
2016-08-25 08:34:25 +00:00
|
|
|
.file("Cargo.lock", lockfile);
|
|
|
|
|
2017-07-22 03:12:21 +00:00
|
|
|
let p = p.build();
|
2016-08-20 21:27:06 +00:00
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo("build").run();
|
2016-08-20 21:27:06 +00:00
|
|
|
|
2016-08-25 08:34:25 +00:00
|
|
|
let lock = p.read_lockfile();
|
2016-08-20 21:27:06 +00:00
|
|
|
assert!(lock.starts_with(lockfile.trim()));
|
|
|
|
}
|
2017-09-04 11:33:03 +00:00
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn locked_correct_error() {
|
2018-07-20 17:41:44 +00:00
|
|
|
Package::new("bar", "0.1.0").publish();
|
2017-09-04 11:33:03 +00:00
|
|
|
|
2018-07-20 17:41:44 +00:00
|
|
|
let p = project()
|
2018-03-14 15:17:44 +00:00
|
|
|
.file(
|
|
|
|
"Cargo.toml",
|
|
|
|
r#"
|
2017-09-04 11:33:03 +00:00
|
|
|
[project]
|
2018-07-20 17:41:44 +00:00
|
|
|
name = "foo"
|
2017-09-04 11:33:03 +00:00
|
|
|
version = "0.0.1"
|
|
|
|
authors = []
|
|
|
|
|
|
|
|
[dependencies]
|
2018-07-20 17:41:44 +00:00
|
|
|
bar = "0.1.0"
|
2018-03-14 15:17:44 +00:00
|
|
|
"#,
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.file("src/lib.rs", "");
|
2017-07-22 03:12:21 +00:00
|
|
|
let p = p.build();
|
2017-09-04 11:33:03 +00:00
|
|
|
|
2018-08-28 09:20:03 +00:00
|
|
|
p.cargo("build --locked")
|
|
|
|
.with_status(101)
|
|
|
|
.with_stderr(
|
2018-03-14 15:17:44 +00:00
|
|
|
"\
|
2018-09-08 09:23:57 +00:00
|
|
|
[UPDATING] `[..]` index
|
2018-09-20 15:51:04 +00:00
|
|
|
error: the lock file [CWD]/Cargo.lock needs to be updated but --locked was passed to prevent this
|
2018-03-14 15:17:44 +00:00
|
|
|
",
|
2018-12-08 11:19:47 +00:00
|
|
|
)
|
|
|
|
.run();
|
2017-09-04 11:33:03 +00:00
|
|
|
}
|