-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add local registry overlays #13926
Add local registry overlays #13926
Conversation
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @ehuss (or someone else) some time within the next two weeks. Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (
|
crates/cargo-test-support/src/lib.rs
Outdated
if let Some(ref mut p) = self.process_builder { | ||
let env_value = format!("{}={}", url, path); | ||
p.env( | ||
"__CARGO_TEST_PACKAGE_CONFUSION_VULNERABILITY_DO_NOT_USE_THIS", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: The term of art for this kind of vulnerability is "Dependency Confusion". As with so many names in computer science, it's better to have consistency then trying to find a better name. This term was coined in the blog post https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 which might be worth linking in comments about how users could easily miss use this.
Catching Eric up on some of the context, Arlo and I discussed the questions from #10948 (comment) at office hours on Thursday. Adding this API, exclusively for internal use, seemed like the least hacky solution. |
Thanks for the review! I think this is ready for another look -- we managed to successfully use this for #10948 as discussed. |
src/cargo/util/context/mod.rs
Outdated
/// affect any newly created `PackageRegistry`s. | ||
/// | ||
/// See [`crate::sources::overlay::OverlayConfusionAttack`] for why you shouldn't use this. | ||
pub fn local_overlays(&self) -> RefMut<'_, HashMap<SourceId, PathBuf>> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd hope we can avoid putting this on GlobalContext but its hard to say without reviewing the follow up at the same time. Should we defer this to the follow up PR?
My motivation is that it gets messy adding and removing from the Global Context and if we can directly instantiate things, the easier it will be to maintain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can give a little more context before we decide whether or not to defer. cargo package
needs the overlay to take effect during a call to ops::compile
. AFAICT there are three possibilities:
- put the overlay configuration in
GlobalContext
- put the overlay configuration in the ephemeral workspace that
cargo package
creates - have
cargo package
do something lower-level thanops::compile
The workspace option has the advantage that the overlay configuration doesn't need to be removed (because the workspace is discarded). It seems like it would just require a little work in resolve_ws
and resolve_ws_with_opts
to get the overlay configuration out of the workspace and insert it into the PackageRegistry
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workspace seems the most beneficial. Whichever way we go, still seems like it could be split out into a follow up PR
btw feel free to clean up your commit history for how you want to present it for review and merge. |
This adds a new mechanism for overlaying sources. An overlayed source returns packages from two (or more) sources. This functionality is not intended for public use, but it will be useful for packaging a workspace that contains inter-crate dependencies. Co-authored-by: Tor Hovland <[email protected]>
c99add9
to
beb929e
Compare
Adds workspace configuration options (not user-exposed) for overlaying sources.
Thanks! @bors r+ |
☀️ Test successful - checks-actions |
Update cargo 14 commits in b1feb75d062444e2cee8b3d2aaa95309d65e9ccd..4dcbca118ab7f9ffac4728004c983754bc6a04ff 2024-06-07 20:16:17 +0000 to 2024-06-11 16:27:02 +0000 - Add local registry overlays (rust-lang/cargo#13926) - docs(change): Don't mention non-existent workspace.badges (rust-lang/cargo#14042) - test: migrate binary_name to snapbox (rust-lang/cargo#14041) - Bump to 0.82.0; update changelog (rust-lang/cargo#14040) - tests: Migrate alt_registry to snapbox (rust-lang/cargo#14031) - fix: proc-macro example from dep no longer affects feature resolution (rust-lang/cargo#13892) - chore: Bump cargo-util-schemas to 0.5 (rust-lang/cargo#14038) - chore(deps): update rust crate pulldown-cmark to 0.11.0 (rust-lang/cargo#14037) - fix: remove `__CARGO_GITOXIDE_DISABLE_LIST_FILES` env var (rust-lang/cargo#14036) - chore(deps): update rust crate itertools to 0.13.0 (rust-lang/cargo#13998) - fix(toml): remove `lib.plugin` key support and make it warning (rust-lang/cargo#13902) - chore(deps): update compatible (rust-lang/cargo#13995) - fix: using `--release/debug` and `--profile` together becomes an error (rust-lang/cargo#13971) - fix(toml): Convert warnings that `licence` and `readme` files do not exist into errors (rust-lang/cargo#13921) r? ghost
Package workspaces Adds support for packaging an entire workspace, even when there are dependencies between the crates. The generated packages should be identical to the ones produced by packaging and publishing the crates one-by-one in dependency order, but the main benefit of this PR is that the packages can be created and verified locally before anything is published. The main mechanism is the one in #13926, where we create a temporary local registry that "overlays" the true registry. We "publish" the crates in the local registry, which enables lockfile generation and verification of the dependent crates. This adds `--registry` and `--index` flags to `cargo package`. They act much like the same arguments to `cargo publish`, except that of course we are not actually publishing to the specified registry. Instead, these arguments affect lock-file generation for intra-workspace dependencies: when simultaneously packaging a crate and one of its dependencies, the lock-file will be generated under the assumption that the dependency will be published to the specified registry. You can also publish a subset of a workspace using `-p` arguments. In this case, there will be an error unless the chosen subset contains all of the dependencies of everything in the subset. Fixes #10948. Based on #13926. ### Compatibility issue This PR introduces a case where `cargo package` will fail where it did not before: if you have a workspace containing two packages, `main` and `[email protected]`, where `main` depends on `[email protected]` and `[email protected]` is already published in crates.io then attempting to package the whole workspace will fail. To be specific, it will package `[email protected]` successfully and then fail when trying to package `main` because it will see the two different packages for `[email protected]`. Note that `cargo publish` will already fail in this scenario. This shouldn't interfere with crates.io running `cargo package` for each package to diff the `.crate` files - This might interfere if someone tried to verify their "published" MSRV by running `cargo package`. The failure could be avoided by changing the local overlay source to not error out if there's a duplicate package; see [here](#13926 (comment)). However, failing early has the advantage of catching errors early.
This PR adds (private to cargo internals) support for local registry overlays, in which you can locally pretend to add packages to remote registries; the local packages will have the same source ids as the remote registry that you're overlaying.
There are two ways to set up these overlays: programmatically using
GlobalContext::local_overlays
and through the__CARGO_TEST_PACKAGE_CONFUSION_VULNERABILITY_DO_NOT_USE_THIS
environment variable. You can't set up these overlays with.cargo/config
.The motivation for this is packaging workspaces. When we're packing a workspace, we'd like to be able to pretend (for lockfile generation and verification) that some workspace packages are already published even though they aren't.