rlbox_lucet_sandbox has a special vendoring in the top-level Cargo.toml file. It is based on a fixed Git revision of the github project's repo: https://github.com/PLSysSec/rlbox_lucet_sandbox.

This project's Cargo file depends on a git branch of another project (fork of lucet_sandbox_compiler), without precising a fixed commit/branch: https://github.com/PLSysSec/rlbox_lucet_sandbox/blob/master/Cargo.toml#L11

When I run mach vendor rust (to bump the version of Cranelift), I see unrelated changes to lucet_sandbox_compiler files chiming in, since rlbox_lucet_sandbox depends on their master branches. This is kind of unexpected and might be a bit dangerous in terms of security (if random commits were injected in one of these dependencies, and somebody at Mozilla did a mach vendor rust without reading too much into the result).

An alternative would be that the upstream https://github.com/PLSysSec/rlbox_lucet_sandbox repository specify fixed commits for each dependency, so vendoring doesn't pull random commits from other projects.

(Attached is output of mach vendor rust, on mozilla-central 7e6a4e221495. It's nice because it removes one dependency on syn / quote, thanks to glandium's upstream patches.)

I think this is high priority, because this effectively prevents people from doing mach vendor rust, unless they like tweaking the output of mach vendor rust by hand.

One way to unblock me right now would be to have the above output landed...

Shravan, is this something you could take care of? The priority is less atm because I landed the output above in bug 1587468 and thus Benjamin is no longer blocked. But any change to your repo which doesn't get updated immediately here will break the workflow of people. Is there any chance you can use path or exact revisions in your repo?

Yup, I can fix this. I am traveling at the moment, but can push a change in the next 24 to 36 hours if that's ok. Feel free to transfer this bug to me

I have fixed this as a part of https://bugzilla.mozilla.org/show_bug.cgi?id=1603658