Open salaheldinsoliman opened 5 months ago
Sorry, I think I made a mistake in the previous PR where I commented about the lock file. We need to keep Cargo.lock, and not have it in the gitignore.
While there is a historical recommendation to not commit lock files in Rust libraries, we don't follow it because it is safer for developers working on the library if a lock file is present, otherwise fresh clones of the repo download new versions of crates outside the control of the developer, and for good security, developers should always be in control of what is installed/built/run on their systems.
Could we keep the Cargo.lock file? It shouldn't need modifying as part of this change.
Related discussion in Discord: https://discord.com/channels/897514728459468821/1067534037310255225/1230929191751647314
Related internal discussion: https://stellarfoundation.slack.com/archives/C030Z9EHVQE/p1713745643062029
Related internal discussion: https://stellarfoundation.slack.com/archives/C030Z9EHVQE/p1713745643062029
@leighmcculloch Is there a way to have a peek on this discussion, as I don't have access to it?
We have some things to nut internally about how different projects depend on dependency consistency.
But I see @dmkozh approved already, so possibly we could merge this now.
@dmkozh Is this mergeable?
We have some things to nut internally about how different projects depend on dependency consistency.
But I see @dmkozh approved already, so possibly we could merge this now.
@dmkozh Is this mergeable?
I think I should close this, and instead merge #1415 as it bumps both proc-macro2
and quote
I think we're going to do this (in preference to #1415) but before we do, we'll write a tool that checks that the lockfile on the stellar-core repo is the same (at least on any package in common) with the lockfile in this repo. That ought to address the concern that the two might be testing / releasing different versions. I'll update here when I have such a thing ready.
@salaheldinsoliman Since we're going to relax the version requirements rather than pin, did you want to also relax the version requirement of quote in this PR?
here's an initial sketch of such a tool: https://github.com/graydon/check-lockfile-intersection output looks like so: https://gist.github.com/graydon/3856f26fe34bb695316f795cf04462c9 I'll work on this more tomorrow, out of time for tonight.
👋🏻 What's the status of the check-lockfile-intersection
tool?
What
1-Bump and loosen crates proc-macro2 and quote
Why
To solve a dependancy error while building Solang, when adding soroban-env-host to its Cargo.toml: error: failed to select a version for
proc-macro2
. ... required by packagesoroban-builtin-sdk-macros v20.2.2
... which satisfies dependencysoroban-builtin-sdk-macros = "=20.2.2"
of packagesoroban-env-host v20.2.2
... which satisfies dependencysoroban-env-host = "^20.2.2"
of packagesolang v0.3.3
versions that meet the requirements=1.0.69
are: 1.0.69all possible versions conflict with previously selected packages.
previously selected package
proc-macro2 v1.0.78
... which satisfies dependencyproc-macro2 = "^1.0.78"
of packageparse-display-derive v0.9.0
... which satisfies dependencyparse-display-derive = "=0.9.0"
of packageparse-display v0.9.0
... which satisfies dependencyparse-display = "^0.9"
of packagesolang v0.3.3
failed to select a version for
proc-macro2
which could resolve this conflict