Cargo wants to update lock file even when all git dependencies have provided hashes

I’m trying to package filips123/PWAsForFirefox, which is a Rust binary (sources in native subdir).

The project relies on unpublished forks of two crates: data-url and mime. There is a third, written by filips123: web_app_manifest. All three of these are specified as Git dependencies in the Cargo.toml.

For example,

data-url = { git = "", branch = "impl-std-error" }

I’ve been reading:

I’ve added:

    cargoLock = {
      lockFile = "${source}/native/Cargo.lock";
      # allowBuiltinFetchGit = true;
      outputHashes = {
        "data-url-0.1.0" = "sha256-rESQz5jjNpVfIuTaRCAV2TLeUs09lOaLZVACsb/3Adg=";
        "web_app_manifest-0.0.0" = "sha256-CpND9SxPwFmXe6fINrvd/7+HHzESh/O4GMJzaKQIjc8=";
        "mime-0.4.0-a.0" = "sha256-LjM7LH6rL3moCKxVsA+RUL9lfnvY31IrqHa9pDIAZNE=";

When building the package, Cargo has an error because it decides the lock file is out-of-date:

> error: the lock file /build/native/Cargo.lock needs to be updated but --frozen was passed to prevent this
> If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead.

I see this, which indicates it has passed Nix’s check:

> Validating consistency between /build/native/Cargo.lock and /build/cargo-vendor-dir/Cargo.lock

I’ve built the package manually, online, and the lock file for the release I’m packaging is indeed correct and does not need to be updated.

When Cargo builds offline, it can’t clone the git dependencies. That isn’t even to mention that allowBuiltinFetchGit = false presumably has another mechanism outside --frozen to prevent this.

How do I provide the requisite Git dependencies to Cargo? Can I package them individually and add them to nativeBuildInputs? I would really rather not.

This is possibly because the Cargo.lock is outdated, can you try to build this package with --frozen without nix and see if it works?

Please read the post in whole.

I built it successfully with this on v2.4.1 and can’t reproduce the issue you mentioned, do you have a reproducible example? btw the discord link doesn’t work for me

rustPlatform.buildRustPackage {
  pname = "test";
  version = "0.1.0";

  src = ./.;

  cargoLock = {
    lockFile = ./Cargo.lock;
    outputHashes = {
      "data-url-0.1.0" = "sha256-rESQz5jjNpVfIuTaRCAV2TLeUs09lOaLZVACsb/3Adg=";
      "web_app_manifest-0.0.0" = "sha256-CpND9SxPwFmXe6fINrvd/7+HHzESh/O4GMJzaKQIjc8=";
      "mime-0.4.0-a.0" = "sha256-LjM7LH6rL3moCKxVsA+RUL9lfnvY31IrqHa9pDIAZNE=";

  nativeBuildInputs = [ pkg-config ];

  buildInputs = [ bzip2 openssl ];

Here’s what I’m working with. I’m not adding the package Nix into the repository’s native directory, and building with local sources often behaves differently so it doesn’t surprise me that it works with your example.

There’s another guy trying to put this in Nixpkgs and he plagiarized me once before, that’s the only reason I didn’t include this with the original post.

      sed -zi 's;name = "firefoxpwa"\nversion = "0.0.0";name = "firefoxpwa"\nversion = "2.1.2";' Cargo.lock

this line causes the issue, replace 2.1.2 with ${version} and the issue should be fixed

Indeed! Thank you for catching my oversight, I’m usually very careful about avoiding hard-coded values.