search

rust-lang / docs.rs

crates.io documentation generator
https://docs.rs
MIT License
956 stars 193 forks source link

docs.rs source view adds Cargo.lock files that are not the crate #2499

Closed kornelski closed 1 week ago

kornelski commented 2 months ago

For example, the source view for homestar-workspace-hack 0.1.0 shows it has a Cargo.lock file. However, the crate tarball (sha256 f8262aa8f1bd0abeb4d0cdf11ec0dcdfef10951df63a4b09741665c9bd7531b1) has no such file.

I would expect the source view to show only files present in the crate tarball. It's concerning that this looks like a "dirty" state after cargo has been run.

syphar commented 1 month ago

Hi @kornelski ,

valid point, the file is likely a remainder from the build process, since currently we're copying the source after the builds.

The solution is of course to copy / upload the source before we build the crate, which will also neatly fit into #2467 as an intermediate result we can expose for failed builds.

kpreid commented 1 month ago

The displayed Cargo.lock is also updated, i.e. may contain newer versions than the lock file already present in the package. This just gave me a lot of confusion when trying to figure out why a cargo install --locked build was using versions older than docs.rs showed.

(I imagine that a malicious package could also change its own files during build to hide them from the source view.)

syphar commented 1 week ago

I created a PR that will move storing the source files to before the build, after the fetch.

This will also have the advantage that we can browse the sources for some error cases