multiple matching crates when deps are duplicated (local deps)

[brson]

https://github.com/brson/rust-skeptic/pull/36 fixed this problem for crates.io dependencies but it still shows up for local dependencies because the fingerprint looks different.

[brson]

cc https://github.com/brson/rust-skeptic/issues/18

[budziq]

In fact the remote VCS based dependencies will be broken too.

Here is a braindump on how to tackle these problems in the (likely) case I'll not be able to work on this issue in the upcoming weeks.

Current implementation of dependency deduplication

• parses Cargo.lock [root][dependencies] section in search of valid crate names and crate version pairs
• parses all internal cargo .fingerprint files which are in the form of

{PROJECT_ROOT}/target/{BUILD_TYPE}/.fingerprint/{CRATE_NAME}-{CRATE_BUILD_HASH}/lib-{CRATE_NAME}-{CRATE_BUILD_HASH}.json 

for example

/some/path/target/debug/.fingerprint/skeptic-e3787ed99bbcb291/lib-skeptic-e3787ed99bbcb291.json 

searching for following JSON construct containing the crate version under [local][precalculated] or [local][0][precalculated]:

"local": {
    "Precalculated": "0.10.1"
},

• the version obtained from .fingerprint is correlated with one from Cargo.lock
  • in case there are multiple hits with given (name, version) the one with highest mtime is selected
• the rlib path for given dependency is calculated as

{PROJECT_ROOT}/target/{BUILD_TYPE}/deps/lib{CRATE_NAME}-{CRATE_BUILD_HASH}.rlib

for example

/some/path/target/debug/deps/libskeptic-e3787ed99bbcb291.rlib

• the obtained rlibs are linked to each skeptic test if given rlib exists

The problem with local PATH and VCS based dependencies

Both local and VCS dependencies will not work in current setup due to different .fingerprint format

• local path dependency - here the "Precalculated" is replaced by a path to fingerprint from which we cannot read the version but can still infer the rlib path.

    "local": {
        "MtimeBased": [
            [
                1499933308,
                284260699
            ],
            "/some/path/target/debug/.fingerprint/skeptic-f99537cab0ea0278/dep-lib-skeptic-f99537cab0ea0278"
        ]
    },

• remote VCS dependency - the "Precalculated" shows VCS commit id instead of version we can use semver crate to differentiate the two cases

    "local": {
        "Precalculated": "4f04f1e58bf2839735f692a511f502ad48ec0f48"
    },

In both cases we are still able to obtain rlib paths but we loose the correlation with Cargo.lock. At the moment my best idea would be to just fallback to selecting the rlib with highest mtime in case we are handling PATH or VCS based dependency and cross our fingers 😞

@brson Honestly, this is an awful hackjob and we may need to wait for cargo buildplans rust-lang/cargo#3815 to solve this issue reasonably.