search

M4SS-Code / cargo-goggles

Verify that registry crates in your Cargo.lock are reproducible from the git repository
https://crates.io/crates/cargo-goggles
Apache License 2.0
36 stars 2 forks source link

Faster clone method #22

Open kornelski opened 3 months ago

kornelski commented 3 months ago

Instead of cloning the repo and then looking for a tag, you can use git ls-remote (Remote::create_detached & connect_auth & list in git2) to find a tag and its sha1.

When you have a sha1, you can init an empty repo, and do git fetch +3db7c05aa35749cc4e0f0f892bc5831219901f98:refs/heads/whateverbranch --depth=1 to get just that one commit.

paolobarbolini commented 3 months ago

This sounds like a great idea, and for long term storage of repos would also help us known when it's time to pull again.

link2xt commented 3 months ago

Seems git fetch --depth=1 <repo> <commit> into an empty repo works.

I also suggest that we clone from scratch for each crate version: #14

When you have a sha1

We already have sha1 from the downloaded crate

kornelski commented 3 months ago

I've meant searching tags for crates that lack sha1 from cargo, usually due to having a "dirty" directory when publishing.