I was recently bitten by some behaviour in Cargo that I found quite surprising. I’m not sure if it’s just a failure on my part to read the documentation sufficiently thoroughly, or if it really is quite a dangerous/unintuitive default. I’d like to hear whether others in the community find this a good idea or if there’s agreement it should be changed.
Specifically, when you run
cargo package or
cargo publish, cargo grabs all local files in the directory (as long as they’re not in
.gitignore), and includes them in the package that is to be published. While this is a little more convenient than having to list everything explicitly, it feels like a default that fails the wrong way when people don’t know about it. I can easily envision scenarios where people publish (to the whole world on crates.io, and irrevocably!) things they didn’t intend to.
My suggestion would be to remove this feature entirely, and require a listing of desired files in
Cargo.toml (maybe printing a warning when there are files present that aren’t listed?). Alternatively, the feature could remain, but as an explicit opt-in requiring users to select it by adding a flag to
The problem with both of these approaches, of course, is that they’d be a non-backwards-compatible breaking change. They’d also be a little less convenient than having everything work automagically. However, I think safety is more important than the very minor amount of effort this feature saves. Thoughts?
I’ve also a filed a bug in the cargo repo, which links to some previous discussion/mentions of the issue.