jbg
commented
2 months ago I think that if this is made built-in functionality in cargo, only the crate clone method should be included.
The other methods seem to assume that the repository key in the crate metadata points to the actual code of the crate, yet nothing guarantees that.
Especially if it's included in cargo, people may rely on this for auditing their dependencies, but the clone methods other than crate are not suitable for that purpose.
Just adding this here as a paper trail. I opened https://github.com/rust-lang/cargo/issues/1545 which is a feature request to either integrate this crate into Cargo or for cargo to provide similar functionality. I don't expect to see any movement on this any time soon but let this issue stand as an indication that the functionality here is definitely valued.
edit: Updated issue since https://github.com/rust-lang/cargo/issues/8888 is a duplicate of https://github.com/rust-lang/cargo/issues/1545