In short, I'm looking to feedback on the following questions:
- What packages or workflows are sensitive to
cargo package
orcargo publish
times? - Should
cargo publish
's verify step focus on smoke testing the packaging process or be a last-ditch quality check in case there isn't a CI?
cargo package
and cargo publish
run a verify step by default. When testing cargo publish --workspace
(cargo publish multiple packages at once · Issue #1169 · rust-lang/cargo · GitHub), I noticed how slow the verify step is and realized it is running cargo build
instead of cargo check
. Publishing packages is an infrequent task and the performance likely doesn't make much of a difference (well, except for aws-sdk). I did go all of these years without realizing thinking more about how slow it is.
Where cargo publish
time can make a difference is in dry-run support. Previously, workspace release tools, like cargo-release
, had to skip the verify step in dry-run modes because there wasn't a way to overlay the newly generated packages on top of the registry to build dependent workspace members. With cargo publish --workspace --dry-run
, that is now possible. This makes what was a fast dry-run to be very slow. Dry-run can be run part of the development cycle while tweaking the release process. The full build
isn't relevant to the that, especially when tweaking non-publishing steps like regex-based custom version updates. Users would hand-tweak the command to get the subset of functionality that is relevant but that requires extra work on the users behalf.
Switching the verify step from cargo build
to cargo check
would reduce the amount of time it takes and give the same amount of coverage for "is this packaged correctly". What it loses is any post-monopolization diagnostics (including linker errors). With Cargo Check T-lang Policy by Lokathor · Pull Request #3477 · rust-lang/rfcs · GitHub, cargo check
is officially not guaranteed to report all errors and code that passes only cargo check
is not subject to Rust's compatibility guarantees.
Whether the differences between cargo check
and cargo build
are relevant depends on factors like:
- Our general assumption of what users do before publishing (
cargo test
? run all of CI?) - The likelihood that a step from above is missed before release
- The likelihood of post-monopolization errors being introduced in that gap
- The number of affected users if a problem does slip through (are more popular crates likely to have more rigorous processes?)
This also gets into the larger question of what the role of the verify step, whether its
- Is this packaged correctly
- Technically, there is a risk of files missing depending on the combination of features or
--target
- Examples aren't built and could be missing files or dependencies. However, some dependencies might intentionally be missing as Cargo removes some to break publish dependency cycles
- if you prioritize running tests on a
.crate
, then the only way to verify all files are packaged is to run tests. However, some dependencies may also be stripped here and some community members have been policing the ecosystem for test data being packaged to reduce.crate
size, e.g. Released versions contain test data · Issue #200 · BurntSushi/bstr · GitHub, somewhat related to `cargo vendor` should offer the ability to omit the `tests/` directory · Issue #13474 · rust-lang/cargo · GitHub
- Technically, there is a risk of files missing depending on the combination of features or
- Last-ditch quality check
- Currently only builds (no clippy, miri, etc) the default build-targets using the
dev
profile with one feature set on one target-platform - Doesn't run tests (see earlier for problems here)
- Currently only builds (no clippy, miri, etc) the default build-targets using the
We could potentially make the verify step configurable (see also `cargo package` could run tests in the packaged tree · Issue #14685 · rust-lang/cargo · GitHub) at which point this becomes a question of defaults before and after this is configurable.