Add a way to ignore existing Cargo.lock files.Β #8504
Description
Describe the problem you are trying to solve
A project I work on has dependencies on several crates, some of which are binary crates. We do not want our build system to access the internet (for a number of reasons), so we vendor those dependencies into our project (see google/tock-on-titan/third_party). We use a directory registry to point cargo at our vendored dependencies.
One of the dependencies (elf2tab) is an executable (a bin crate rather than a lib crate). Following typical Rust practice, it contains a Cargo.lock file. We contribute to elf2tab, so we include it via a git submodule, so we cannot maintain local changes to elf2tab.
Unfortunately, when I try to build elf2tab, cargo detects the Cargo.lock file in elf2tab and insists that its dependencies have the checksums listed in the Cargo.lock file. This prevents me from making local modifications to elf2tab's dependencies. As a result, I cannot deduplicate crates between different packages.
For example, elf2tab depends on elf, which depends on byteorder 0.*, but which would work fine with byteorder 1.2.3 if I could edit its Cargo.toml. A different dependency, libtock-rs, depends on corepack which depends on byteorder ~1.2.3. As a result, we need to have both versions of byteorder vendored in order to build our project. This makes auditing our source code more complex.
Describe the solution you'd like
I would like a flag -- or a cargo.config option -- that makes cargo ignore existing Cargo.lock files. Ideally, cargo's dependency resolution would be kept entirely in memory, but it could use a temporary file as well.
Notes
At the moment, we're working around this issue by running cargo in a sandbox that hides the existing Cargo.lock file, making cargo generate a new Cargo.lock file on each build.