Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minor: Document the rationale for the lack of Cargo.lock #14071

Merged
merged 2 commits into from
Jan 15, 2025
Merged

Minor: Document the rationale for the lack of Cargo.lock #14071

merged 2 commits into from
Jan 15, 2025
+27 −1

Conversation

alamb
Copy link
Contributor

@alamb alamb commented Jan 10, 2025

Which issue does this PR close?

The question of why Cargo.lock is not checked in comes up from time to time, most recently in

Rationale for this change

I think documenting the rationale as I understand it will help:

  1. To answer questions about why it is this way
  2. Help us decide if we want to change the process

What changes are included in this PR?

Document my recollection of why Cargo.lock is not checked in

Are these changes tested?

By CI

Are there any user-facing changes?

Update the readme

@alamb alamb added the documentation Improvements or additions to documentation label Jan 10, 2025
alamb
alamb commented Jan 10, 2025
View reviewed changes
README.md
@@ -146,3 +146,27 @@ stable API, we also improve the API over time. As a result, we typically
deprecate methods before removing them, according to the [deprecation guidelines].

[deprecation guidelines]: https://datafusion.apache.org/library-user-guide/api-health.html

## Dependencies and a `Cargo.lock`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mbrobbel has a good point here #14069 (comment)

I think one concern originally was how we would keep a Cargo.lock file up to date with the latest version of the dependencies

I can't remember if depndabot was available at that point -- maybe dependabot is good enough that we could check in Cargo.lock and have Dependabot update it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my perspective it is very important that CI covers testing with the latest versions of all dependencies (as that is what many/most downstream crates will use as well)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to point to https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html for considerations and suggestions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TLDR it sounds like the rust team now suggests always committing Cargo.lock and letting dependabot handle updates. That seems like a good idea to me

Copy link

@gatesn gatesn Jan 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just my two cents, but I have found Renovate to be much more configurable. Here's an example of a lock file maintenance PR: spiraldb/vortex#1818

Copy link
Contributor Author

@alamb alamb Jan 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing we have to be aware of in DataFusion is that as part of the Apache security posture, only certain third party actions are allowed -- we would have to double check Rennovate

I think the next step is probably to file an issue to explicitly discuss checking in a Cargo.lock file. I'll try and find time over the next few days if no one beats me to it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I filed a ticket to discuss next steps:

@alamb alamb mentioned this pull request Jan 10, 2025
Merged
comphead
comphead reviewed Jan 14, 2025
View reviewed changes
README.md Outdated Show resolved Hide resolved
comphead
comphead approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@comphead comphead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm thanks @alamb for getting this documented

@comphead comphead merged commit 0c229d7 into apache:main Jan 15, 2025
4 checks passed
@alamb alamb deleted the alamb/document_cargo_lock branch January 15, 2025 16:49
@alamb alamb mentioned this pull request Jan 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbrobbel mbrobbel mbrobbel left review comments

@gatesn gatesn gatesn left review comments

@comphead comphead comphead approved these changes

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alamb @gatesn @mbrobbel @comphead