Not all dependencies detected

[freijon]

I'm writing an ebuild for bandwhich and detected an issue where not all dependencies are resolved correctly:

Some tinkering is needed to get as far as where I am right now, so here is my current ebuild so far:
https://gist.github.com/freijon/d6699e7f7e39513e35ec8e9d11088b44

Also, their Cargo.lock in the 0.20.0 release seems to be broken - I rebuilt it using cargo generate-lockfile

When running ebuild bandwhich-0.20.0.ebuild digest clean install I get:

error: failed to select a version for the requirement async-trait = "^0.1.21" (locked to 0.1.21)
candidate versions found which didn't match: 0.1.71
location searched: directory source /var/tmp/portage/net-analyzer/bandwhich-0.20.0/work/cargo_home/gentoo (which is replacing registry crates-io)
required by package bandwhich v0.20.0 (/var/tmp/portage/net-analyzer/bandwhich-0.20.0/work/bandwhich-0.20.0)
perhaps a crate was updated and forgotten to be re-vendored?
As a reminder, you're using offline mode (--offline) which can sometimes cause surprising resolution failures, if this error is too confusing you may wish to retry without the offline flag.

The requirement is coming from their Cargo.toml and which seems to have been missed by pycargoebuild

[mgorny]

pycargoebuild relies on Cargo.lock entirely. If it's broken, we can't provide good results.

[freijon]

But I ran cargo generate-lockfile from scratch - So it shouldn't be broken?

[mgorny]

Ah, sorry, I misunderstood your comment.

So, from what I can see, as of version 0.20.0:

• Cargo.toml requires exact versions of dependencies (which is probably a mistake)
• Cargo.lock is an old version, and therefore it is rejected by pycargoebuild (but this is possibly fixable)
• cargo generate-lockfile generates Cargo.lock that doesn't meet the dependencies from Cargo.toml (wtf?)

I don't know Cargo enough to tell but either there's some other way of doing this or it's generating invalid Cargo.lock.