`Cargo.lock` strategy

[Kixunil]

The current recommendation is to not commit Cargo.lock for libraries but commit it for binaries. The main reason being that it doesn't affect downstream crates. However I think that committing it has some value - it says "we tested this crate with these versions of dependencies". And if we review the crates (ensuring the hashes match) it also acts as a lightweight cargo-crev. (I myself don't want to commit to this for now, maybe around 1.0 where versions will be more stable.)

However we could have these problems: people accidentally changing and committing it possibly causing merge conflicts, older versions of crates not being recorded.
As a solution I propose having Cargo-minimal.lock and Cargo-recent.lock. CI will just copy them over Cargo.lock before run.
Cargo-minimal.lock would contain minimal versions (See #1229 ) and would be only updated when we update Cargo.toml (We can probably have a check for this.) Cargo-recent.lock could be updated more often but always in a distinct PR to not cause merge conflicts.

[apoelstra]

This is a neat idea. I like it.

[tcharding]

Cool, I'd like a script (with same name in each crate) that I can run during development that says

• Use Cargo-recent.lock and run enough tests that most silly mistakes are caught but I don't have to wait 10 minutes for contrib/test.sh to run (optimized for good-enough coverage and fast)
• As above for clippy

Would save me having to look up what feature set I need to run everytime I switch which carte I'm hacking on.

[Kixunil]

Yeah, same script will be used in CI.

[apoelstra]

@MUCCHU if you'd like to take a look at this, the strategy is pretty straightforward, though tedious:

1. Run cargo update in this repo with a recent rustc. Copy the resulting Cargo.lock to contrib/Cargo.tested.lock.
2. Run cargo tree --all-features. Then for every single package in the tree, run cargo update -p <package> --precise <exact version>.
3. Copy the resulting Cargo.lock to contrib/Cargo.minimal.lock.

In step 2, for exact version, you should check our Cargo.toml, and use the version specified there (for direct dependencies) or just bisection-search to find the oldest version that works (for indirect dependencies). After each cargo update you should re-run cargo test --all-features to check that things stil compile.

If something doesn't compile with a version that our Cargo.toml says it should, please edit the Cargo.toml and/or file a bug.

You might want to try this first on rust-bech32, rust-secp256k1, or rust-bitcoinconsensus, which are also maintained by us, but which have smaller dependency trees.

[Kixunil]

You can also just remove Cargo.lock and run cargo +nightly check --all-features -Z minimal-versions in step 2.