Lockfile for non-reproducible crates

[link2xt]

cargo-goggles needs a way to store a list of tested reproducible and tested non-reproducible crates next to Cargo.lock so it can be committed to the repository. Then in CI we can check that all packages from Cargo.lock have been tested and are included in one of these lists. Locally developers can run cargo-goggles to update the list, but likely not in CI on every commit because downloading git repositories for all dependencies is too slow and uses git hoster resources unnecessarily.

[link2xt]

Maybe this overlaps with https://github.com/mozilla/cargo-vet Essentially I want to have for each dependency a record saying some developer has checked that it is reproducible, or not reproducible but the differences are not important (Cargo.toml formatting etc.) and an issue has been filed.

[paolobarbolini]

Then in CI we can check that all packages from Cargo.lock have been tested and are included in one of these lists.

I'm not sure this really stands on the security side. What's stopping someone from sending a PR with all of the newly added dependencies marked as perfectly reproducible only to find out the file had been changed by hand?

[link2xt]

Ok, maybe a list of known reproducible crates is not that useful and we can run not on every commit but when Cargo.lock changes, that it is manageable.

Feature request then is to create a cargo-goggles.lock file with a list of known non-reproducible crates on a first run. Then on rerun remove crates that are not in Cargo.lock anymore and complain if more non-reproducible crates are added to prevent upgrades from reproducible crates to non-reproducible.