Before 1.84, the lockfile was already being generated if it had a bin or an example. How did you workaround that problem?

Are you dealing with packaging-order with packages within a workspace or does this cross workspaces? If the latter, could you explain more about that process?

If its for workspaces, could you test and report back on whether -Zpackage-workspace resolves the problem? That allows packaging more than one package at a time in a workspace in the correct order.

Before 1.84, the lockfile was already being generated if it had a bin or an example. How did you workaround that problem?

I didn't personally, most of the work I do for Debian is within the first scenario (packaging single crates from crates.io), plus a couple of cdylibs, and cargo package is not needed for either of these use-cases. To my knowledge, the only user of cargo package in Debian at this time is dh-rust, which was written and is maintained by a developer outside of Rust Team. From what I understand he was aware of issues caused by the lockfile before 1.84 and he implemented a simple dependency resolution algorithm which (again to my understanding) broke after 1.84 because more packages became affected and started to FTBFS. The last time I checked (that is, shortly after opening this issue) the current workaround was an improved dependency resolution algorithm which however still breaks with circular dependencies because of cargo package's behavior, causing some packages to still FTBFS. Moreover, the workaround doesn't deal with the fact that dependencies must be present to use cargo package (AFAIK, the maintainer dropped support for building library packages without installing (useless, in this context) build-dependencies in response to this, in tens of packages). I don't know if the situation has improved since.

Within Rust Team, we are not currently affected by lockfile issues. However, we plan to support packaging workspaces using debcargo and dh-cargo (the first of which builds the source package, while the second builds the actual .deb), and cargo package is probably the best option for this use-case, in a very similar fashion in which dh-rust is using it at this time. I see us going through the very same problems, and them being fully avoidable since we don't really care about the lockfile. The present issue is mainly for future applications in Rust Team (but if it results in making life easier for dh-rust and its maintainer I would be very happy that it did).

Are you dealing with packaging-order with packages within a workspace or does this cross workspaces? If the latter, could you explain more about that process?

AFAIK dh-rust is having packaging-order issues only within workspaces, and I am anticipating the same issues in workspaces too, so yes to the first question. As for cross-workspace packaging-order issues, no, I don't expect any¹, but that of dependencies needing to be installed just to canonicalize a crate still remains, and we want to avoid it.

If its for workspaces, could you test and report back on whether -Zpackage-workspace resolves the problem? That allows packaging more than one package at a time in a workspace in the correct order.

For the sake of giving you an answer based on a pre-existing implementation I hacked dh-rust 0.0.10 to make it use current rustup's cargo nightly, and it did not work. However, I think the implementation matters here (dh-rust wasn't written to use -Zpackage-workspace, it calls cargo package --package on each crate in turn, so I guess that flag not working is fully expected). For future implementations, I can see how -Zpackage-workspace may solve the ordering issues (e.g. by using the --workspace flag too and packaging all the workspace at once?), but, again, if I understood correctly what it does, it will not solve the issue of avoiding useless dependencies (namely, the rest of the registry besides the workspace). I guess the bottom line is cargo package should have a way to avoid depending on the registry for use-cases that do not require it -- like those which don't really care about Cargo.lock, see Debian -- and that's not the problem -Zpackage-workspace tries to solve.

More generally, what I think should work and does not is: empty registry, cargo package --offline --no-verify, either within or outside of a workspace. If one actually needs a well-formed and up-to-date Cargo.lock then this request is meaningless, for obvious reasons. But if one doesn't need it then I think this is a sensible request, and one which may be expressed by an additional flag.

Actually, I think I do see a fairly possible scenario where cross-workspace packaging-order issues may arise in Debian, still having to do with circular dependencies. Library crate a in workspace A depends on library crate b in workspace B, library crate b in workspace B dev-depends (e.g. for tests) on library crate a in workspace A, neither A nor B have ever been packaged in Debian, we want to use cargo package in internal tooling (that is, at package build time, like dh-rust does) to package both A and B.

This is currently hard to do because of the change in 1.84: building the .deb for a from source A requires b's .deb (which is fine, b is a real build-dependency of A because a depends on b), but building the .deb for b from source B requires a's .deb because installing a's .deb is the only way to have a in the registry used by cargo package to create b's Cargo.lock (this Cargo.lock will never end up in the Debian package for b in the first place as it is deleted immediately). Note that B needing a to build means that a mere test dependency (we have those in Debian too) has now become an actual build-dependency: generating the useless lockfile caused an actual circular build-dependency.

What we would do in this case, I guess, is patch out the dev-dependency of b on a by any means necessary (e.g. by removing tests) and upload the B and then the A source. Then, if we wanted to re-enable b's tests, assuming we are ok with introducing a circular build-dependency in the archive, we would wait a few hours for A and B to build, remove the patch, make B build-depend on a and re-upload it. Will this work? Probably. Does this make me wish we could decouple cargo package from the registry, given that a useless lockfile cost us a circular build-dependency? Yes.

/cc @Fabian-Gruenbichler to see if I overlooked something in the scenario above

In official Debian packaging at least. Outside of Debian, I was told by a Rust Team members he's using cargo package to build debian packages for their day job, and he's forced to have all crates installed in the local registry just to build the source package.

that would be me, and indeed, this is quite annoying for us at Proxmox. we've written quite a bit of software in Rust over the past few years which is shipped as Debian packages (we are a Debian derivative). most of our crates are not (yet) published on crates.io for various reasons, and debcargo calls cargo's package action internally when (Debian-)packaging crates from a local tree. we use a local fake registry (consisting of packaged crates) to replace crates.io via .cargo/config.toml.

this means if we have a crate A depending on B and dev-depending on C, we need to have Debian packages for B and C and their transitive dependencies installed, just to run debcargo package (which in turn basically does cargo package) to generate a source package which then gets passed to the build environment to build the binary package(s). this is very cumbersome, as building the package doesn't require the dev-dependencies at all (they are only required for the seaprate, post-build testing step that happens in a different environment), but the first step in the build pipeline (generating the source package), which doesn't actually need any crates installed at all, requires all of them to be installed instead.

I know this probably all sounds a bit involved/cumbersome/weird from upstream's PoV - I can go into more detail regarding the rationale for why things work as they do there, but to make the rather long story short - there definitely is a real world use case for running cargo package (both the command, as well as the corresponding cargo library interface) without touching/requiring Cargo.lock, and we'd appreciate it if it became possible (an unstable flag is totally fine, and crates.io rejecting crates without one would also be fine in my book!).

just to add: for us -Zpackage-workspace doesn't help at all, as only some of the (superfluously required) crates are part of the same workspace, the issue affects every dependency.

/cc @Fabian-Gruenbichler to see if I overlooked something in the scenario above

no, that example seems correct - this is the equivalent of cargo package with a reference to an unpublished crate (version), just that "publish" in this case means "create and install a Debian package" as that is what creates the entry in the local (fake) registry replacement for crates.io. I guess a hacky workaround would be to somehow generate fake entries for dev-dependencies if they are missing (which would of course mean bogus entries in the resulting Cargo.lock file, but since that gets thrown away anyway..).

the -Zavoid-dev-deps trick we use to run cargo build/install/clean in the absence of dev-dependencies doesn't work here either.

no, that example seems correct

Then I'll add turning test dependencies into build-dependencies as a 4th issue in the problem statement above.