fix(vendor)!: vendor files with .rej/.orig suffix#15569
Merged
Conversation
Collaborator
rustbot
added
Command-vendor
S-waiting-on-review
Member
Author
|
Maybe I should do it in reversed order. |
So that it explicitly shows what we really vendor
This is meant to fixes rust-lang#13191 As git sources and registry sources are considered immutable. I don't think there is any reason excluding those files. There might be a little chance local Git repositories might have those, though that is a rare use case. Alternatively, we could reject all `.rej`/`.orig` files but `Cargo.toml.orig`.
Contributor
Yeah, I'd put the snapshot first |
epage
reviewed
May 21, 2025
epage
reviewed
May 21, 2025
Comment on lines
618
to
619
| // Temporary Cargo files | ||
| Some(".cargo-ok") => false, |
Contributor
There was a problem hiding this comment.
Now that we are doing fresh extractions, is this still needed?
Member
Author
There was a problem hiding this comment.
For git checkouts we still have that, though there is no test exercising that code path. Do you want a test for it in this PR?
Contributor
There was a problem hiding this comment.
Let's go ahead and merge this
epage
approved these changes
May 21, 2025
bors
added a commit
to rust-lang/rust
that referenced
this pull request
May 23, 2025
Update cargo 9 commits in 47c911e9e6f6461f90ce19142031fe16876a3b95..68db37499f2de8acef704c73d9031be6fbcbaee4 2025-05-14 17:53:17 +0000 to 2025-05-22 14:27:15 +0000 - chore(gh): Add new-lint issue template (rust-lang/cargo#15575) - fix(toml): Remove workaround for rustc frontmatter support (rust-lang/cargo#15570) - fix(vendor)!: vendor files with .rej/.orig suffix (rust-lang/cargo#15569) - fix(vendor)!: direct extraction for registry sources (rust-lang/cargo#15514) - chore(deps): update msrv (1 version) to v1.87 (rust-lang/cargo#15530) - Fix comment for cargo/core/compiler/fingerprint/mod.rs (rust-lang/cargo#15565) - fix: remove unnecessary workaround in standard_lib test (rust-lang/cargo#15522) - Allow configuring arbitrary codegen backends (rust-lang/cargo#15562) - Update dependencies (rust-lang/cargo#15557) r? ghost
github-actions Bot
pushed a commit
to rust-lang/miri
that referenced
this pull request
May 25, 2025
Update cargo 9 commits in 47c911e9e6f6461f90ce19142031fe16876a3b95..68db37499f2de8acef704c73d9031be6fbcbaee4 2025-05-14 17:53:17 +0000 to 2025-05-22 14:27:15 +0000 - chore(gh): Add new-lint issue template (rust-lang/cargo#15575) - fix(toml): Remove workaround for rustc frontmatter support (rust-lang/cargo#15570) - fix(vendor)!: vendor files with .rej/.orig suffix (rust-lang/cargo#15569) - fix(vendor)!: direct extraction for registry sources (rust-lang/cargo#15514) - chore(deps): update msrv (1 version) to v1.87 (rust-lang/cargo#15530) - Fix comment for cargo/core/compiler/fingerprint/mod.rs (rust-lang/cargo#15565) - fix: remove unnecessary workaround in standard_lib test (rust-lang/cargo#15522) - Allow configuring arbitrary codegen backends (rust-lang/cargo#15562) - Update dependencies (rust-lang/cargo#15557) r? ghost
LinbitPRBot
pushed a commit
to LINBIT/drbd-reactor
that referenced
this pull request
Oct 6, 2025
cargo 1.89.0 changed the vendor command such that the Cargo.toml.orig files are included in the vendored sources. See rust-lang/cargo#15569 This lead to an issue when generating the debian tarball: debuild by default cleans up all *.orig files in the dh_clean step. This would then cause the cargo build to fail the verification of the vendored sources, as those files suddenly where missing. To fix this, explicitly exclude Cargo.toml.orig files from cleaning.
arnout
pushed a commit
to buildroot/buildroot
that referenced
this pull request
Apr 13, 2026
Note: version 1.94.1 includes security fixes for: https://www.cve.org/CVERecord?id=CVE-2026-33055 https://www.cve.org/CVERecord?id=CVE-2026-33056 For full change logs, see: https://blog.rust-lang.org/2026/03/26/1.94.1-release/ https://blog.rust-lang.org/2026/03/05/Rust-1.94.0/ https://blog.rust-lang.org/2026/02/12/Rust-1.93.1/ https://blog.rust-lang.org/2026/01/22/Rust-1.93.0/ https://blog.rust-lang.org/2025/12/11/Rust-1.92.0/ https://blog.rust-lang.org/2025/11/10/Rust-1.91.1/ https://blog.rust-lang.org/2025/10/30/Rust-1.91.0/ https://blog.rust-lang.org/2025/09/18/Rust-1.90.0/ https://blog.rust-lang.org/2025/08/07/Rust-1.89.0/ Since Rust 1.89.0, the bootstrap was redesigned (upstream PR #119899): the stage 0 standard library is no longer built from source but copied from the stage 0 compiler's sysroot. This breaks host-rust in two ways. https://blog.rust-lang.org/inside-rust/2025/05/29/redesigning-the-initial-bootstrap-sequence/ rust-lang/rust#119899 First, building std from source for a cross target at stage 0 now requires build.local-rebuild to be set in config.toml. Without it, the bootstrap refuses to proceed. Set local-rebuild = true since the stage 0 compiler (host-rust-bin) is the same version as the compiler being built from source. rust-lang/rust#145876 Second, host-rust-bin creates relative symlinks to expose the host std libraries under its rustc component directory. The bootstrap's copy_link_internal() copies these symlinks verbatim into the stage0-sysroot, where the relative paths no longer resolve. Replace them with hardlink copies (cp -al) in HOST_RUST_BIN_LIBSTD_EXTRACT. Also, Rust received three changes in Cargo's vendoring logic which produces different vendor directory contents. In Rust version 1.89: - cargo vendor now does direct extraction from .crate tarballs instead of heuristic file listing, adding previously excluded files like .cargo_vcs_info.json and hidden directories: rust-lang/cargo#15514 - Files with .rej/.orig suffixes (e.g. Cargo.toml.orig) are no longer excluded from vendoring: rust-lang/cargo#15569 In Rust version 1.94 - Git-specific files (.gitattributes, .gitignore) are now recursively filtered in subdirectories, not just at the top level: rust-lang/cargo#16439 Therefore the hashes of all Cargo-fetched packages need to be updated. This commit changes the suffix of Cargo packages from -cargo4 to -cargo5, and updates all hashes. Signed-off-by: Nicolas Serafini <nicolas.serafini@flyability.com> Tested-by: Marcus Hoffmann <buildroot@bubu1.eu> [Julien: - mark commit as "security" and add info in commit log - squash version bump, bootstrap and hash fixes in a single commit - fix python-cryptography hash after update in commit 632e224 ] Signed-off-by: Julien Olivain <ju.o@free.fr>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR try to resolve?
This is meant to fixes #13191
As git sources and registry sources are considered immutable.
I don't think there is any reason excluding those files.
There might be a little chance local Git repositories might have those,
though that is a rare use case.
Alternatively,
we could reject all
.rej/.origfiles butCargo.toml.orig.How should we test and review this PR?
Test updates should be sufficient.
Additional information
This is a follow-up of #15514