"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: >> +# This file is automatically @generated by Cargo. >> +# It is not intended for manual editing. >> +version = 4 >> + >> +[[package]] >> +name = "interop" >> +version = "0.1.0" >> + >> +[[package]] >> +name = "xdiff" >> +version = "0.1.0" >> +dependencies = [ >> + "interop", >> +] > > I would prefer that we not check in Cargo.lock in Git. Part of the > reason is that it changes across versions and so building with a > different version of the toolchain can update the file. > > In addition, as I mentioned downthread, because our intention is to > support the Debian stable toolchain for a year after the new stable > release, unless we are exceptionally careful about dependencies, we may > end up with a case where distros need to use older dependencies patched > for security but other users may want to update the versions to newer > dependencies with security fixes but that do not work on our pinned Rust > version. We can't possibly satisfy both sets of people if we pin > dependencies in Cargo.lock, so we probably want to avoid checking it in > and ignore it instead. Yup. The comment in first few lines of the file says it very well ;-) Thanks for flagging it.
