As part of our supply chain hardening, I'm trying to verify that for all crates we're using, the git sources match the published crate. This allows e.g. using the git diff for auditing the changes in a release.
The crates in this is repo have a .cargo_vcs_info.json in the published files, but the hash mentioned in it doesn't exist: 7d6d5acb30df69694bfc85c81513498ca93cc358
Would it be possible to publish ideally with a .cargo_vcs_info.json with a commit in the repo, or alternatively create tags for all crate releases so they can be matched?
As part of our supply chain hardening, I'm trying to verify that for all crates we're using, the git sources match the published crate. This allows e.g. using the git diff for auditing the changes in a release.
The crates in this is repo have a
.cargo_vcs_info.jsonin the published files, but the hash mentioned in it doesn't exist: 7d6d5acb30df69694bfc85c81513498ca93cc358Would it be possible to publish ideally with a
.cargo_vcs_info.jsonwith a commit in the repo, or alternatively create tags for all crate releases so they can be matched?