Discuss: Check in Cargo.lock file? #14135
Labels
enhancement
New feature or request
Comments
|
100%. IMHO dependency updates should only ever happen via a PR/git pull, not like what happens now with cargo. |
|
Since it would be a very important step towards re-buildable releases (and then also to strictly reproducible builds) - #14479 - i am for adding cargo.lock file to the repository. Additional benefit is that this would also simplify datafusion-cli build. No longer split brain for local compilation 🚀 . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem or challenge?
Broken out of a discussion on a PR here:
As described in https://github.com/apache/datafusion?tab=readme-ov-file#dependencies-and-a-cargolock
DataFusion currently does not check in
Cargo.lockwhich was the recommendation for earlier versions of Rust@mbrobbel has a good point here #14069 (comment) that the guidance for Cargo.lock and library files has changed
See https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html
Describe the solution you'd like
TLDR it sounds like the rust team now suggests always committing Cargo.lock and letting dependabot handle updates. That seems like a good idea to me
@gatesn suggested
Though One thing we have to be aware of in DataFusion is that as part of the Apache security posture, only certain third party actions are allowed -- we would have to double check Rennovate
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: