Open anp opened 4 years ago
Roadblock: the checksums in the cargo index include .cargo_vcs_info.json
, which itself includes the git commit when the package was made (handy!).
If we still want to do checksum verification (probably?) then I see two paths to making the checksum reproducible in later builds:
cargo package
output file-by-fileI'm inclined towards (2) because it relies on less network activity. Now that ofl
tags commits on publish, (2) should be possible without too much more work.
Approach:
cargo package
CARGO_TARGET_DIR/package/NAME-VERSION/**
.cargo_vcs_info.json
file to point at the SHA1 of the git tagtar
the files to get a "backdated" NAME-VERSION.crate
file
The dry-run publish step on CI needs to check if the version of the crate in the PR is on crates.io. If it is, the scripts should download the tarball, package a local crate tarball, and assert they're the same.
If they're not the same, fail CI with a recommendation to run
cargo ofl versions
locally.