dgit.raspbian.org Git - cargo.git/commit

author	Alex Crichton <alex@alexcrichton.com>
	Thu, 23 Oct 2014 19:21:08 +0000 (12:21 -0700)
committer	Alex Crichton <alex@alexcrichton.com>
	Mon, 27 Oct 2014 19:40:23 +0000 (12:40 -0700)
commit	88116d4ddad36ce4ff3e9f47eaa043c16c599feb
tree	7cf641eae9be071352b362a8c04568ea0c81b946	tree \| snapshot
parent	6ab9311754474868b7e908d5908ce048afa76f8f	commit \| diff

Respect yanks in the registry

In general the semantics of a yank are that the code itself is not removed from
the registry, but rather packages are no longer allowed to depend on the
version. A yank is normally done to remove broken code or perhaps secrets, but
actually deleting code means that all packages depending on the yanked version
all of a sudden break. For these reasons a yank does not actually delete code,
but only flags the version as yanked in the index.

Yanked packages are therefore able to be depended upon if a lockfile points at a
yanked version, but are not allowed to become new dependencies of packages.

Implementation-wise, the following changes were made:

* SourceIds originating from a lockfile for registries will have a precise
version listed (just a generic string "locked")
* Dependencies which use precise source ids are allowed to read yanked versions
* Dependencies without a precise source id are not allowed to use yanked
versions

When using a lockfile (or a previous instance of resolve), all operations will
rewrite dependencies to have the precise source ids where applicable, meaning
the locked versions have access to yanked versions, but the unlocked versions do
not.

src/cargo/core/source.rs		diff \| blob \| history
src/cargo/sources/registry.rs		diff \| blob \| history
tests/support/registry.rs		diff \| blob \| history
tests/test_cargo_registry.rs		diff \| blob \| history