Add source repository manifest#43
Closed
rominf wants to merge 5 commits into
Closed
Conversation
Documents the application name, version, Cargo dependency provenance, shipped binaries, runtime-downloaded assets, and repository structure as required by AMD OSS policy Section A.c. Signed-off-by: Roman Inflianskas <Roman.Inflianskas@amd.com>
Replace the Python cargo-metadata snippet with a native `cargo xtask manifest` command that regenerates the Cargo dependency table in MANIFEST.md in place, with a --check mode for CI. Keeps manifest maintenance pure-Rust and dependency-free. Signed-off-by: Roman Inflianskas <Roman.Inflianskas@amd.com>
- Tarball signature check: the RSA/SHA-256 signature verification applies to metadata index files only, not to the SDK tarball binary itself. Rescope the claim to avoid misleading compliance reviewers. - Add missing Lemonade embeddable runtime-download section: when `rocm engines install lemonade` is run the CLI downloads a prebuilt Lemonade embeddable archive from GitHub; this asset category was entirely absent from the manifest. - Correct engine Python-venv description: only the PyTorch engine manages its own uv-backed virtual environment; vLLM, SGLang, and ATOM record externally-provided runtimes and do not install Python packages. Signed-off-by: Roman Inflianskas <Roman.Inflianskas@amd.com>
Two correctness issues found in review of the source manifest: - Sort the generated Cargo dependency table by semantic version rather than lexicographically. A string sort ordered multi-digit versions incorrectly (e.g. core-foundation 0.10.1 before 0.9.4, linux-raw-sys 0.12.1 before 0.4.15). Add the semver crate to xtask and compare parsed versions, falling back to string order if parsing fails. Regenerate the table so the committed ordering is correct. - Correct the Shipped Binaries section: the workspace builds more than two binaries. Besides rocm and rocmd, each engine crate under engines/ builds its own rocm-engine-<name> host binary. Also add llama.cpp to the list of engines that record external runtimes rather than installing Python packages. Signed-off-by: Roman Inflianskas <Roman.Inflianskas@amd.com>
cargo metadata --locked hard-fails whenever Cargo.lock needs even a trivial refresh (e.g. right after a dependency is added but before a build updates the lock). Resolve normally so the manifest command stays usable in that window. Signed-off-by: Roman Inflianskas <roman.inflianskas@amd.com>
Collaborator
Author
|
Superseded by #46 (recreated from a branch renamed to remove an internal identifier; same commits plus pending fixes). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
MANIFEST.mdto document the composition of this repository for OSS compliance purposes.cargo metadataat release time; the manifest includes the regeneration command so it can be kept current.uvbinary) are downloaded on demand.Test plan
MANIFEST.mdcontent for accuracy againstCargo.lock,Cargo.toml, and the codebase structure.cargo metadatacommand to verify the dependency table matches the current lockfile.