Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

During cargo publish, verify that src directory is not modified by the build.rs #5073

Closed
matklad opened this issue Feb 24, 2018 · 9 comments
Closed

During cargo publish, verify that src directory is not modified by the build.rs #5073

matklad opened this issue Feb 24, 2018 · 9 comments
Labels
A-build-scripts Area: build.rs scripts Command-publish S-accepted Status: Issue or feature is accepted, and has a team member available to help mentor or review

Comments

@matklad
Copy link
Member

matklad commented Feb 24, 2018

A common pitfall when doing build.rs code generation in Rust is to write generated files directly to /src. It may seem fine on the first blush, but it does cause problems when you use such crate as a dependency, because there's an implicit invariant that sources in .cargo/registry should be immutable. Breaking this invariant sometimes is fine, but sometimes leads to pretty bewildering bugs:

So, I think we, first of all, should formally declare and document that build scripts should not modify stuff outside of OUT_DIR. We can enforce this rule during pre-flight check in cargo publish, by making the directory with sources read-only before the build. That is, in this line, we should add an equivalent of chown ua-w -r dst.
@matklad
Copy link
Member Author

matklad commented May 3, 2018

Hm, I've tagged this E-mentor, but we haven't really discussed if we want this feature at all. Will bring it up the next cargo team meeting.

@matklad matklad added the S-accepted Status: Issue or feature is accepted, and has a team member available to help mentor or review label May 14, 2018
@matklad matklad changed the title Consider makeing sources read-only when running pre-publish checks During cargo publish, verify that src directory is not modified by the build.rs May 14, 2018
@matklad
Copy link
Member Author

matklad commented May 14, 2018

We've discussed this on the meeting and we do want this feature, hence feature-accepted label.

We've figured out a better strategy to detect this error than making src readonly. During publish, we can calculate a checksum before and after we run cargo build, and complain if they don't match. That way, we'll be able to give a precise error message, which is much better than build.rs panicking with PermissionDenied.

I think DirectorySource in Cargo calculates checksums of directories, so it might be useful. Alternatively, PathSource::fingerprint method could be used: it computes mtimes and not checksums, but mtimes are probably even better, because we will be able to point which files exactly are modified.

@gferon gferon mentioned this issue May 28, 2018
Merged
bors added a commit that referenced this issue May 29, 2018
@bors
Auto merge of #5584 - boxdot:master, r=matklad
f35302c 
Verify that src dir wasn't modified by build.rs when publishing

Fixes issue #5073.

Implemented during RustFest Paris `impl days`.
@dwijnand
Copy link
Member

dwijnand commented Aug 8, 2018

This can be closed now: it's been fixed with #5584.

@matklad matklad closed this as completed Aug 8, 2018
@mikephelan mikephelan mentioned this issue May 11, 2020
Closed
2 tasks
@neithanmo neithanmo mentioned this issue Dec 3, 2020
Merged
yati-sagade added a commit to yati-sagade/bitrust that referenced this issue May 13, 2021
@yati-sagade
Do not generate protobuf code inside src
39b742d 
This is not recommended, and cargo publish fails unless you want to
proceed with --no-verify. See
rust-lang/cargo#5073.

I am copying the approach taken in
Zondax/ledger-rs@43908c4,
where we generate the proto sources in OUT_DIR (an envvar available to
build scripts), and then communicating the list of generated mods to
rustc via a custom envvar.
@GTwhy GTwhy mentioned this issue Feb 8, 2022
Merged
@SuperCuber SuperCuber mentioned this issue Apr 2, 2023
Merged
@kingwingfly
Copy link

kingwingfly commented Mar 3, 2024
edited
Loading

Hello, I meet a problem due to this:

I'm working on a crate, and need generate code in src only for doc test.

For example, I generate code in src/test_utils/mod.rs, and use it in doc test:

# #[path = "test_utils/mod.rs"]
# mod test_utils;
use test_utils::xxx;

But I cannot publish it recentlty:

error: failed to verify package tarball

Caused by:
  Source directory was modified by build.rs during cargo publish. Build scripts should not modify anything outside of OUT_DIR.
  Changed: /home/louis/rust/.cargo/target/package/fav_utils-0.0.1/src/proto/bili.rs

  To proceed despite this, pass the `--no-verify` flag.

I tried add #[cfg(test)] ahead of Codegen, then it can be published. However, the Codegen can never run during develop.

// build.rs

// This can generate code but cannot be published
fn main() {
    println!("cargo:warning=Generate some code");
}

// This can be published but cannot generate code
fn main() {
    #[cfg(test)]
    println!("cargo:warning=Generate some code");
}

It will be so kind if anyone can give me a suggestion.

@epage
Copy link
Contributor

epage commented Mar 4, 2024

Is there a reason you are generating into src/ rather than $OUT_DIR like encouraged at https://doc.rust-lang.org/cargo/reference/build-script-examples.html#code-generation ?

@kingwingfly

This comment was marked as resolved.

Sign in to view
@kingwingfly

This comment was marked as resolved.

Sign in to view
@kingwingfly

This comment was marked as resolved.

Sign in to view
@kingwingfly

This comment was marked as resolved.

Sign in to view
@popzxc popzxc mentioned this issue Jul 8, 2024
Merged
4 tasks
popzxc added a commit to matter-labs/era-cuda that referenced this issue Jul 29, 2024
@popzxc
Prepare 0.1.0 release (#8)
3276080 
# What ❔

Prepares 0.1.0 release (already on crates.io)

⚠️ Changes the build script for cudart to use
[`OUT_DIR`](https://doc.rust-lang.org/cargo/reference/environment-variables.html#environment-variables-cargo-sets-for-build-scripts),
since it's an idiomatic approach and breaking it [may have unexpected
results](rust-lang/cargo#5073).

## Why ❔

Releasing on crates.io

## Checklist

<!-- Check your PR fulfills the following items. -->
<!-- For draft PRs check the boxes as you complete them. -->

- [ ] PR title corresponds to the body of PR (we generate changelog
entries from PRs).
- [ ] Tests for the changes have been added / updated.
- [ ] Documentation comments have been added / updated.
- [ ] Code has been formatted via `cargo fmt` and checked with `cargo
check` for any errors or warnings.
@bbb651 bbb651 mentioned this issue Jan 27, 2025
Open
@tzemanovic tzemanovic mentioned this issue Feb 7, 2025
Merged
3 tasks
@mergify mergify bot mentioned this issue Feb 7, 2025
Merged
3 tasks
@raldone01 raldone01 mentioned this issue Feb 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-build-scripts Area: build.rs scripts Command-publish S-accepted Status: Issue or feature is accepted, and has a team member available to help mentor or review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@epage @dwijnand @matklad @kingwingfly