On 2025-07-17 at 20:32:18, Ezekiel Newren via GitGitGadget wrote: > diff --git a/rust/Cargo.lock b/rust/Cargo.lock > new file mode 100644 > index 000000000000..fb1eac690b39 > --- /dev/null > +++ b/rust/Cargo.lock > @@ -0,0 +1,14 @@ > +# This file is automatically @generated by Cargo. > +# It is not intended for manual editing. > +version = 4 > + > +[[package]] > +name = "interop" > +version = "0.1.0" > + > +[[package]] > +name = "xdiff" > +version = "0.1.0" > +dependencies = [ > + "interop", > +] I would prefer that we not check in Cargo.lock in Git. Part of the reason is that it changes across versions and so building with a different version of the toolchain can update the file. In addition, as I mentioned downthread, because our intention is to support the Debian stable toolchain for a year after the new stable release, unless we are exceptionally careful about dependencies, we may end up with a case where distros need to use older dependencies patched for security but other users may want to update the versions to newer dependencies with security fixes but that do not work on our pinned Rust version. We can't possibly satisfy both sets of people if we pin dependencies in Cargo.lock, so we probably want to avoid checking it in and ignore it instead. -- brian m. carlson (they/them) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
