Cargo Crusader 0.1 - Test the downstream impact of Rust crate changes before publishing

Yes, it should run on Travis.

1 Like

This is a fascinating idea!

Does it also consider semver? I mean, if I bump the major version of my crate, will it be considered "OK" even if I make some breaking changes?

Looking at the code, it seems that the reverse_dependencies crates.io API simply lists all the crates that depend on my crate. Maybe this could be improved to list the crates that depend on the specific versions with the same major number of my crate?

Oh, I see TODO is there actually. It seems to be also solvable locally by using some semver checking logic.

The Theory of Responsible API Evolution looks excellent!
Have people considered making a tool (or extending cargo) that will automatically report on API changes / potential breakages, and the corresponding semver requirements? All of the examples given (for major/minor changes) look statically analyzable.
Elm took this approach, where the packager enforces semver from an API/types perspective: see packager readme

While this certainly doesn't rule out all versioning breakages, it sounds fascinating.

2 Likes

I think you'll find the correct term is "Rustacean". This is a Rustilian:

This is a Rustacean:

Lookit 'im. 'e wouldn't hurt anyone. Note the protective type-system shell, guarding against a cruel, heartless world that just wants to crush him with the proverbial sledgehammer of memory unsafety. 'ee's a clever little crab, yes 'e is.

Seriously, though; this is damned cool. The only problem I can see is that it's going to be hard to sandbox. I mean, ideally, you could separate it into two phases: acquire dependencies, and test. That way, the "acquire dependencies" part should be safe, and then you can more aggressively lock down the "test" part.

Also, the last time I tried to find out how to effectively sandbox programs on Windows, I just found an endless parade of dead ends and madness. It's probably out of scope, but it would be fantastic if there were pointers on how to sandbox crusader. Otherwise, it runs the dual risks of being used to compromise systems or not being used because it's scary.

5 Likes

Actually, thinking about this more, I wonder if we shouldn't "just" add sandboxing to Cargo. I started writing up an issue, but I'm not even sure if it's a tractible idea (do we want Cargo to start making promises about security of compilation?). One major issue I can think of is how on earth to make the gcc crate work. :stuck_out_tongue:

1 Like

Are not md5 sums more than enough??

For what?

for "That way, the "acquire dependencies" part should be safe" anyway, maybe I misunderstood something (sandboxing as security instead of only your build isolated from the rest of cargos in your system).

Yes. Acquiring dependencies should be safe because it's just downloading packages, not actually building or running anything. The point is to divide it from the definitely not safe "test" part.

Making crusader secure seems out of scope. You should just run it on Travis or whatever.

However it's possible you could hack something on top of GitHub - pcwalton/gaol: Cross-platform application sandboxing for Rust

@jaredly Yes, I want this and will do everything I can to make it happen. Somebody else opened another thread on the subject.

1 Like

Sorry [offtopic] is this crab photoshopped at all? Its just so darn cute, it hurts. :heart_eyes: :scream:

May I offer my services as a spanish inquisition? My references include:

  • Enforcing hipstery, lowercase brand names across the internet ("eurucamp")
  • Employing a person that corrects people that write coworking with a hyphen

We have years of experience in the field.

could somebody perhaps sketch a "rustafari"?
But at that point we might actually have gone too far :stuck_out_tongue:

Is it just me, or is the list of reverse dependencies truncated?

I just tried this to make a little command to display the reverse dependencies for a crate, and I noticed that hyper, itertools and winapi all have "10" reverse dependencies.

Checking the JSON, there's a "meta" tag at the end, with a "total" field that looks like:

  • hyper: total = 153
  • itertools: total = 12 (only 12?!)
  • winapi: total = 457

I couldn't find any actual documentation for the crates.io API, so I don't know if this is supposed to happen, or what.

Edit: @bluss just noted that adding ?page=1 to the end of the URL gives the next 10.

@DanielKeep I did not know that! Here's a bug https://github.com/brson/cargo-crusader/issues/5

Is this Cargo Crusader the appropriate place for Warnings for breaking semver?

@vi0 Yes, I think this is one potential venue for such a tool. Here's another recent thread on the subject.

The reverse deps pagination bug is fixed and crusader should test all reverse deps now.