`cargo publish` omits metadata component in version during checking if package is already published

[cpp11nullptr]

Problem

Starting from 1.83, cargo publish fails if a registry contains package with the same {MAJOR}.{MINOR}.{PATCH} but different "build metadata" (after a plus sign) component.

Steps

Repro steps:

1. cargo publish for package with version 0.1.0.
2. cargo publish for package with version 0.1.0+123.

Actual behavior: error: crate foobar@0.1.0+123 already exists.

Expected behavior: version 0.1.0+123 should be published.

Possible Solution(s)

As temporary workaround, downgrading to 1.82 can be used.

Notes

It may be the same root case as for #15028.

Version

cargo 1.83.0 (5ffbef321 2024-10-29)
release: 1.83.0
commit-hash: 5ffbef3211a8c378857905775a15c5b32a174d3b
commit-date: 2024-10-29
host: x86_64-pc-windows-msvc
libgit2: 1.8.1 (sys:0.19.0 vendored)
libcurl: 8.9.0-DEV (sys:0.4.74+curl-8.9.0 vendored ssl:Schannel)
os: Windows 10.0.26100 (Windows 11 Enterprise) [64-bit]

[epage]

Are you using a third-party registry? Differing by build metadata on crates.io has been disallowed since May 2023 (rust-lang/crates.io#6518). This was done because (1) the semver spec says they are the same so there is no predicability with what you get and (2) therefore cargo has odd/bad behavior with this.

What is your use case for doing this? Without any other data, I feel like this is a good thing that we extended this check to all registries (even if its only client-side validation).

Without further context, what I propose we do is

• Improve the error message for this case
• Document this as a recommendation or expectation for registries to check

[cpp11nullptr]

Yes, it gets published to ADO feed. Thanks for sharing more context, it makes sense. I'd say that it'd be less ambiguous if semver specification added a note that "two versions that differ only in the build metadata are the same" in additional to using precedence term there (which kind of conveying message but in confusing way). Using "123" (from example above) as "pre-release" component should work for me, I guess.

[epage]

@cpp11nullptr could you expand on your use case for why you were publishing packages that only differed by metadata?

[cpp11nullptr]

The intention is to publish packages which are produced by CI (so it's incremental versioning). Looking around, {MAJOR}.{MINOR}.{PATCH}-{BUILD} or {MAJOR}.{MINOR}.{PATCH}-build.{BUILD} seems to be common approach there.

[cpp11nullptr]

Closing this issue as resolved.