cargo package refuses to build a package with un-uploaded dependencies, no matter what

[bk2204]

Problem
There is no way (that I have found) to force cargo package to build a local package unless all dependencies have been uploaded to crates.io, even if --no-verify and --offline are specified. This prevents building packages for the entirety of a workspace in CI or for the purposes of verifying that the crate archive contains all of the contents it should, unless all the dependent crates have been uploaded. This also prevents people from building crates to upload to a different location if they'd like to do that, or building without Internet access.

Steps

1. Create a workspace with two crates: core and bin.
2. Make bin depend on core via a path dependency.
3. Specify some additional includes in bin's Cargo.toml.
4. Try (and fail) to use cargo package --no-verify --offline to build a crate so you can sanity-check the contents of the tarball.

Possible Solution(s)
Using the regular workspace instead of the ephemeral in build_lock seems to solve the problem. This could be implemented to only be used if --no-verify is specified, although I'm not sure what other side effects that would have.

Notes

I'm happy to send a patch to fix this.

My particular use case here is because I build my README.md from another file and I want to be sure that the contents of my crate will be correct and include the expected files. But there are many good and valuable reasons one may want to build a crate tarball locally without needing dependencies to be uploaded.

Output of cargo version:

cargo 1.50.0 (f04e7fa 2021-02-04)
Rust stable
Debian amd64/sid

[dbr]

We had the same problem with the imgui-rs project,

imgui-rs/imgui-rs#646

Specifically:

• We added a new freetype feature, which caused the library to build with additional .cpp files (which we bundle)
• We exclude some unnecessary files to reduce the size of the .crate
• There was a mistake with these exclude patterns, so they missed these .cpp files

This meant:

• Our existing CI checks were all happy as they built from the git repo, which had these additional .cpp files present
• However when people tried to against the crate from crates.io (with the freetype feature), the .cpp were not present so the build failed

This is unfortunate as the mistake is only really noticable after a new version is published.

I was hoping in CI we could just do cargo package -p imgui-sys --features freetype && cargo package -p imgui --features freetype to verify this, but the latter part fails as above ("error: failed to verify package tarball ... Caused by: failed to select a version for imgui-sys")

[weihanglo]

For now, a way to check the contents of the tarball is cargo package --list. Does that help sanity check a bit?

[epage]

Looks like this and #10948 are effectively duplicates, just with different suggestions as to what to do. I'm closing in favor of #10948 so we focus on one way of solving this problem and as that is the more likely solution for us to go with. If there is a reason for us to reconsider, let us know!