Skip to content

Minor: Document the rationale for the lack of Cargo.lock#14071

Merged
comphead merged 2 commits intoapache:mainfrom
alamb:alamb/document_cargo_lock
Jan 15, 2025
Merged

Minor: Document the rationale for the lack of Cargo.lock#14071
comphead merged 2 commits intoapache:mainfrom
alamb:alamb/document_cargo_lock

Conversation

@alamb
Copy link
Contributor

@alamb alamb commented Jan 10, 2025

Which issue does this PR close?

The question of why Cargo.lock is not checked in comes up from time to time, most recently in

Rationale for this change

I think documenting the rationale as I understand it will help:

  1. To answer questions about why it is this way
  2. Help us decide if we want to change the process

What changes are included in this PR?

Document my recollection of why Cargo.lock is not checked in

Are these changes tested?

By CI

Are there any user-facing changes?

Update the readme

@alamb alamb added the documentation Improvements or additions to documentation label Jan 10, 2025
alamb
alamb commented Jan 10, 2025
View reviewed changes
README.md

[deprecation guidelines]: https://datafusion.apache.org/library-user-guide/api-health.html

## Dependencies and a `Cargo.lock`
Copy link
Contributor Author

@alamb alamb Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mbrobbel has a good point here #14069 (comment)

I think one concern originally was how we would keep a Cargo.lock file up to date with the latest version of the dependencies

I can't remember if depndabot was available at that point -- maybe dependabot is good enough that we could check in Cargo.lock and have Dependabot update it

Copy link
Contributor Author

@alamb alamb Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my perspective it is very important that CI covers testing with the latest versions of all dependencies (as that is what many/most downstream crates will use as well)

Copy link
Member

@mbrobbel mbrobbel Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to point to https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html for considerations and suggestions.

Copy link
Contributor Author

@alamb alamb Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TLDR it sounds like the rust team now suggests always committing Cargo.lock and letting dependabot handle updates. That seems like a good idea to me

Copy link
Contributor

@gatesn gatesn Jan 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just my two cents, but I have found Renovate to be much more configurable. Here's an example of a lock file maintenance PR: vortex-data/vortex#1818

Copy link
Contributor Author

@alamb alamb Jan 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing we have to be aware of in DataFusion is that as part of the Apache security posture, only certain third party actions are allowed -- we would have to double check Rennovate

I think the next step is probably to file an issue to explicitly discuss checking in a Cargo.lock file. I'll try and find time over the next few days if no one beats me to it

Copy link
Contributor Author

@alamb alamb Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I filed a ticket to discuss next steps:

@alamb alamb mentioned this pull request Jan 10, 2025
Merged
comphead
comphead reviewed Jan 14, 2025
View reviewed changes
comphead
comphead approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@comphead comphead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm thanks @alamb for getting this documented

@comphead comphead merged commit 0c229d7 into apache:main Jan 15, 2025
4 checks passed
@alamb alamb deleted the alamb/document_cargo_lock branch January 15, 2025 16:49
@alamb alamb mentioned this pull request Jan 15, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@comphead comphead comphead approved these changes

+2 more reviewers

@gatesn gatesn gatesn left review comments

@mbrobbel mbrobbel mbrobbel left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alamb @gatesn @mbrobbel @comphead

Comments