Discuss: Check in Cargo.lock file?

[alamb]

Is your feature request related to a problem or challenge?

Broken out of a discussion on a PR here:

• Minor: Document the rationale for the lack of Cargo.lock #14071 (comment)

As described in https://github.com/apache/datafusion?tab=readme-ov-file#dependencies-and-a-cargolock

DataFusion currently does not check in Cargo.lock which was the recommendation for earlier versions of Rust

@mbrobbel has a good point here #14069 (comment) that the guidance for Cargo.lock and library files has changed

See https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html

Describe the solution you'd like

TLDR it sounds like the rust team now suggests always committing Cargo.lock and letting dependabot handle updates. That seems like a good idea to me

@gatesn suggested

Just my two cents, but I have found Renovate to be much more configurable. Here's an example of a lock file maintenance PR: vortex-data/vortex#1818

Though One thing we have to be aware of in DataFusion is that as part of the Apache security posture, only certain third party actions are allowed -- we would have to double check Rennovate

Describe alternatives you've considered

No response

Additional context

No response

[Omega359]

100%. IMHO dependency updates should only ever happen via a PR/git pull, not like what happens now with cargo.

[findepi]

Since it would be a very important step towards re-buildable releases (and then also to strictly reproducible builds) - #14479 - i am for adding cargo.lock file to the repository.

Additional benefit is that this would also simplify datafusion-cli build. No longer split brain for local compilation 🚀 .

[timsaucer]

When I needed to add a new third party github action to the Apache list of approved actions for datafusion-python, it was a very easy process. If that's a blocker I can file an issue.