more explicit build dependency handling#736
Conversation
thillux
force-pushed
the
strip-build-deps
branch
from
015e188 to
de80b11
Compare
|
I don't think there's a one-size-fits-all solution to this. So I don't think excluding them unconditionally is a good idea. However, what we should do is clearly indicate that these are build-time dependencies. We can set We could also consider adding a command-line option to exclude build dependencies, if them being explicitly marked as such is not sufficient. But we would need a really strong motivation to add yet another configuration knob. |
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Good suggestions. I'd like to have both and I'm currently working on it. |
thillux
changed the title
|
@Shnatsel I hacked a first draft together to familarize myself with the code base. Is the basic idea correct, to check if a package was used as a normal dependency somewhere in the dependency graph and set it to DependencyKind::Required and DependencyKind::Excluded otherwise? Is there a easier/faster path to check this? |
|
My current simple test-case looks like this: [package]
name = "cargo-meta-tests"
version = "0.1.0"
edition = "2021"
[build-dependencies]
rand = "0.8.5"
rand-esdm = "0.1.4"
[dependencies]
rand = "0.8.5"
[dev-dependencies]
rand = "0.8.5" |
|
After looking through my current SBOM, I realized, that my idea for exclusion is probably too simple. Dependencies, which are only used by build dependencies are not marked as excluded. Shall we perform some additional pruning/indexing or just live with the simple CLI option to drop build dependencies on demand? If we can settle on some common idea after my tests, I'll cleanup/rewrite the PR. |
This. I've already written this logic for |
Signed-off-by: Markus Theil <theil.markus@gmail.com>
thillux
force-pushed
the
strip-build-deps
branch
from
1e8cf8f to
401638a
Compare
|
@Shnatsel after cribbing from |
thillux
changed the title
|
Could you also add tests, to make sure this functionality doesn't break in the future? |
|
Sure. I'll try tomorrow. |
thillux
force-pushed
the
strip-build-deps
branch
from
79dcd2c to
8283598
Compare
|
Two simple tests were added. Please have a look again. |
|
Yep, that looks good. Thanks a lot! Nix flake CI is failing, but none of the current maintainers know or use Nix, and it's been effectively unmaintained for a while. I think we should just go ahead and drop it. |
|
That's a pretty large Could you make a minimal Everything else looks good. Thanks a lot! |
|
Ok. I'll try tomorrow. |
thillux
force-pushed
the
strip-build-deps
branch
2 times, most recently
from
eda8764 to
c1f0c32
Compare
Signed-off-by: Markus Theil <theil.markus@gmail.com>
thillux
force-pushed
the
strip-build-deps
branch
from
c1f0c32 to
449d8e6
Compare
|
Done. Thanks for the hint to |
|
Unfortunately I have to revert this because it causes an infinite loop when there is a dependency cycle. A reproducing example can be found in #750 |
|
FWIW |
|
Ok & sorry for this. I had faulty assumptions. My assumption was, that the metadata I get is already acyclic. I just have to add a cycle check to the graph search. I'll fix this in a new PR. I'll leave the command line argument as is, therefore your other PR will still apply. |
|
No, there may be cycles through dev-dependencies. Thanks you for sticking with this! It is kind of a hard problem.
My other PR is not going to be mergeable. Git will make sure of it. So if you think that name is a good idea, I'd be happy if you just integrated that directly. |
|
@Shnatsel I was able to reproduce the infinite loop and the fix was a one-liner in the end. I have to rebase/cherry-pick now and open a new PR tomorrow. |
2 participants
I was wondering, why pkg-config is listed in my SBOM.
SBOMs should IMHO only contain dependencies which are not only used during build or development. It would also be possible to check against DependencyKind::Normal.