| 25 Mar 2025 |
 emily | I don't think that's strictly mandatory though, stuff breaks in Nixpkgs with less handholding than that 🫠| 14:02:05 |
| emily | I would suggest that after we drop kubernix we
- flip
useFetchCargoVendor to true by default, add an assertion that it's not false
- rip out the old fetching machinery entirely
- document that in the release notes
| 14:02:49 |
 Toma | kubernix uses importCargoLock, no need to wait for that | 14:03:39 |
| emily | fair enough | 14:03:52 |
| emily | we should probably drop it anyway though… | 14:03:55 |
| Toma | yeh | 14:03:59 |
| emily | like it looks pretty knownVulnerabilities, it pins Kubernetes components from over half a decade ago | 14:04:11 |
| emily | does importCargoLock handle the "same package from two different registries" thing btw? | 14:04:48 |
| Toma | I don't think so | 14:04:56 |
| emily | I am wondering if it makes sense to allow fetchCargoVendor to be driven by a Cargo.lock to avoid maintaining two paths for all of this altogether. but that's not release-blocking | 14:07:20 |
| Toma | after my last few migrations to fetchCargoVendor get merged, almost all other packages that still have a Cargo.lock vendored do it because of upstream not publishing it | 14:07:29 |
| Toma | not sure I understand | 14:08:08 |
| emily | we could have a mode where you supply a Cargo.lock and a hash, right? | 14:08:38 |
| emily | which would meet the "no upstream Cargo.lock" use case and ~obsolete importCargoLock | 14:08:53 |
| Toma | I guess very much like with fetchYarnDeps | 14:09:44 |
| Toma | but for historical reasons almost everyone uses ${src}/yarn.lock instead of inherit src there (it's not IFD, since it only uses that in the build process) | 14:10:37 |
| emily | https://github.com/NixOS/nixpkgs/blob/15f3d37c73c8c1090f8fef7b8508675c9260eab6/pkgs/build-support/rust/import-cargo-lock.nix
- https://github.com/NixOS/nixpkgs/blob/15f3d37c73c8c1090f8fef7b8508675c9260eab6/pkgs/build-support/rust/replace-workspace-values.py
isn't a trivial maintenance burden, so if 25.05 is doing breaking changes anyway, it might be best to eliminate it
| 14:11:05 |
| emily | * https://github.com/NixOS/nixpkgs/blob/15f3d37c73c8c1090f8fef7b8508675c9260eab6/pkgs/build-support/rust/import-cargo-lock.nix
+ https://github.com/NixOS/nixpkgs/blob/15f3d37c73c8c1090f8fef7b8508675c9260eab6/pkgs/build-support/rust/replace-workspace-values.py
isn't a trivial maintenance burden, so if 25.05 is doing breaking changes anyway, it might be best to eliminate it | 14:11:09 |
| emily | ah I guess we use the latter in fetchCargoVendor too | 14:11:34 |
| emily | so it's not so bad | 14:11:35 |
