Integrate the lockfile and registry-based deps
This commit radically changes the approach of how lockfiles are handled in the
package registry and how resolve interacts with it. Previously "using a
lockfile" entailed just adding all of the precise sources to the registry and
relying on them not being updated to remain locked. This strategy does not work
out well for the registry, however, as one source can provide many many packages
and it may need to be updated for other reasons.
This new strategy is to rewrite instances of `Summary` in an on-demand fashion
to mention locked versions and sources wherever possible. This will ensure that
any relevant `Dependency` will end up having an exact version requirement as
well as a precise source to originate from (if possible). This rewriting is
performed in a few locations:
1. The top-level package has its dependencies rewritten to their precise
variants if the dependency still matches the precise variant. This covers the
case where a dependency was updated the the lockfile now needs to be updated.
2. Any `Summary` returned from the package registry which matches a locked
`PackageId` will unconditionally have all of its dependencies rewritten to
their precise variants. This is done because any previously locked package
must remain locked during resolution.
3. Any `Summary` which points at a package which was not previously locked still
has its dependencies modified to point at any matching locked package. This
is done to ensure that updates are as conservative as possible.
There are still two outstanding problems with lockfiles and the registry which
this commit does not attempt to solve:
* Yanked versions are not respected
* The registry is still unconditionally updated on all compiles.
projects / cargo.git / commit