`cargo package` includes multiple README files when the case is not all upper-case

rust-lang / cargo

The Rust package manager

https://doc.rust-lang.org/cargo

Apache License 2.0

12.59k stars 2.39k forks source link

`cargo package` includes multiple README files when the case is not all upper-case #14020

Open ehuss opened 3 months ago

ehuss commented 3 months ago

Problem

If a package has a Readme.md file (and no readme field in Cargo.toml), it will end up with two readme files in the package.

This regressed in https://github.com/rust-lang/rust/pull/96031 (rust 1.62.0). I'm not sure which of those is responsible.

Steps

cargo new foo
cd foo
touch Readme.md
cargo package --list --allow-dirty

Possible Solution(s)

No response

Notes

No response

Version

cargo 1.77.1 (e52e36006 2024-03-26)
release: 1.77.1
commit-hash: e52e360061cacbbeac79f7f1215a7a90b6f08442
commit-date: 2024-03-26
host: x86_64-apple-darwin
libgit2: 1.7.2 (sys:0.18.2 vendored)
libcurl: 8.6.0 (sys:0.4.70+curl-8.5.0 system ssl:(SecureTransport) LibreSSL/3.3.6)
ssl: OpenSSL 1.1.1w  11 Sep 2023
os: Mac OS 14.5.0 [64-bit]

epage commented 3 months ago

This is a subset of #13722.

I'm assuming the root cause is #10548 which mirrored existing license logic over for readme's.

Turbo87 commented 1 month ago

has there been any work done on this yet? would it be viable to revert https://github.com/rust-lang/cargo/pull/10548 if that is indeed the root cause of this bug?

epage commented 1 month ago

@Turbo87 this has been in since 1.62 and was just reported just over a month ago. What is bad enough about this that a partial revert of #10548 should be considered?

Turbo87 commented 1 month ago

What is bad enough about this that a partial revert of #10548 should be considered?

we would like to turn the server-side validation for duplicate files back on to prevent potential security issues. that is admittedly unlikely to be relevant for the readme, but might be an issue for code modules depending on the system. e.g. it would be bad if for example docs.rs showed different sources than what is actually getting compiled in because of casing conflicts.

epage commented 1 month ago

@Turbo87 so your concern is more about #13722 than this issue?

Turbo87 commented 1 month ago

to some degree yes, though this one here is apparently what is commonly happening in production from what I've seen so far

jian-lin commented 1 month ago

If a package has a Readme.md file (and no readme field in Cargo.toml), it will end up with two readme files in the package.

This bug also happens if there is readme = "README.md" in cargo.toml.

I cannot reproduce this on linux but I can reproduce this on darwin.