Open dcsommer opened 2 years ago
Thanks for the report! I think there may be some confusion about how cargo install
works (see #9289). When you pass the --path
argument to .cargo_vendor/cargo-ndk/
, it is looking for the lock file at .cargo_vendor/cargo-ndk/Cargo.lock
. When it doesn't find one, it builds a new Cargo.lock
just for that package.
However, due to the way cargo works, resolving Cargo.lock
does not use source replacement (so it resolves using the latest versions from crates.io). That isn't really a supported use case, since there should always be a corresponding lock file when vendored.
cargo install
isn't designed to install packages from dependencies, it is only designed to install standalone packages.
Also, thanks for creating the reproduction. However, it seems to be missing the Cargo.lock
file, so I can't really test your specific example.
I've updated the repro repo to include the Cargo.lock
file, so you should be able to reproduce now. It's interesting how omitting --frozen --locked
allows the command to work (of course it defeats my intended goal to install from vendored dependencies).
I'm getting the same confusing error (failed to select version for a requirement, with "candidate versions found which didn't match" suggesting a version which actually would match the requirement). My use case however is packaging up a Rust program into an RPM. The Fedora RPM infrastructure sets up a .cargo/config
file which does the following to replace crates.io with a local directory:
[source.local-registry]
directory = "/usr/share/cargo/registry"
[source.crates-io]
registry = "https://crates.io"
replace-with = "local-registry"
However, when trying to run cargo build
, I then get told the same thing:
error: failed to select a version for the requirement `serde = "^1.0"`
candidate versions found which didn't match: 1.0.134
location searched: directory source `/usr/share/cargo/registry` (which is replacing registry `crates-io`)
required by package `greetd_ipc v0.8.0 (/builddir/build/BUILD/greetd-0.8.0/greetd_ipc)`
perhaps a crate was updated and forgotten to be re-vendored?
and there really is a /usr/share/cargo/registry/serde-1.0.134 present.
Never mind me, my issue was because there was a Cargo.lock file in a higher-level directory which locked a particular version of serde I didn't have in my local registry.
Problem
Issue with cargo vendor + cargo install
(repo with repro steps here: https://github.com/dcsommer/cargo-vendor-install-issue)
I've found an issue with vendoring and installation of cargo subcommands related to semver compatibility checks. To recreate the issue:
cargo vendor .cargo_vendor
(this step is checked in for convenience, but feel free to delete the directory and recreate it)cargo install --locked --frozen --path .cargo_vendor/cargo-ndk/ --root bin
You get the following error message:
As
0.14.1
is compatible with the constraint^0.14.0
per semver rules, this appears to be a bug withcargo install
.I've tested this with 1.57 and 1.53 and it repros on both, although the error message is one character different in 1.53 (it claims the requirement is
cargo_metadata = "=0.14.0"
rather thancargo_metadata = "^0.14.0"
).Steps
cargo install
. In the example repo, this dependency iscargo-ndk = 2.5
cargo vendor .cargo_vendor
(this step is checked in for convenience, but feel free to delete the directory and recreate it)cargo install --locked --frozen --path .cargo_vendor/cargo-ndk/ --root bin
Possible Solution(s)
No response
Notes
--locked
does not workaround the issue.--frozen
(so it doesn't use the vendored dependencies and gets them from crates.io) works and also printsCompiling cargo_metadata v0.14.1
. So, the complaint that0.14.1
isn't compatible seems doubly bogus as cargo itself ends up using it if you don't vendor!Version