cargo icon indicating copy to clipboard operation
cargo copied to clipboard
verified publisher icon rust-lang

`cargo package` includes multiple README files when the case is not all upper-case

Open ehuss opened this issue 1 year ago • 7 comments

Problem

If a package has a Readme.md file (and no readme field in Cargo.toml), it will end up with two readme files in the package.

This regressed in https://github.com/rust-lang/rust/pull/96031 (rust 1.62.0). I'm not sure which of those is responsible.

Steps

  1. cargo new foo
  2. cd foo
  3. touch Readme.md
  4. cargo package --list --allow-dirty

Possible Solution(s)

No response

Notes

No response

Version

cargo 1.77.1 (e52e36006 2024-03-26)
release: 1.77.1
commit-hash: e52e360061cacbbeac79f7f1215a7a90b6f08442
commit-date: 2024-03-26
host: x86_64-apple-darwin
libgit2: 1.7.2 (sys:0.18.2 vendored)
libcurl: 8.6.0 (sys:0.4.70+curl-8.5.0 system ssl:(SecureTransport) LibreSSL/3.3.6)
ssl: OpenSSL 1.1.1w  11 Sep 2023
os: Mac OS 14.5.0 [64-bit]

ehuss avatar Jun 06 '24 13:06 ehuss

This is a subset of #13722.

I'm assuming the root cause is #10548 which mirrored existing license logic over for readme's.

epage avatar Jun 06 '24 14:06 epage

has there been any work done on this yet? would it be viable to revert https://github.com/rust-lang/cargo/pull/10548 if that is indeed the root cause of this bug?

Turbo87 avatar Jul 23 '24 07:07 Turbo87

@Turbo87 this has been in since 1.62 and was just reported just over a month ago. What is bad enough about this that a partial revert of #10548 should be considered?

epage avatar Jul 23 '24 13:07 epage

What is bad enough about this that a partial revert of #10548 should be considered?

we would like to turn the server-side validation for duplicate files back on to prevent potential security issues. that is admittedly unlikely to be relevant for the readme, but might be an issue for code modules depending on the system. e.g. it would be bad if for example docs.rs showed different sources than what is actually getting compiled in because of casing conflicts.

Turbo87 avatar Jul 23 '24 14:07 Turbo87

@Turbo87 so your concern is more about #13722 than this issue?

epage avatar Jul 23 '24 14:07 epage

to some degree yes, though this one here is apparently what is commonly happening in production from what I've seen so far

Turbo87 avatar Jul 23 '24 15:07 Turbo87

If a package has a Readme.md file (and no readme field in Cargo.toml), it will end up with two readme files in the package.

This bug also happens if there is readme = "README.md" in cargo.toml.

I cannot reproduce this on linux but I can reproduce this on darwin.

jian-lin avatar Aug 15 '24 13:08 jian-lin