pgp-0.12.0-alpha.1 crate is published with modified Cargo.toml

[link2xt]

I have downloaded published crate:

$ wget -O pgp-0.12.0-alpha.1.crate https://crates.io/api/v1/crates/pgp/0.12.0-alpha.1/download
$ sha256sum pgp-0.12.0-alpha.1.crate 
db461ba3f30eecd45db966d0e0e48cc570267f6161606f6f2a29ebd11a5688f1  pgp-0.12.0-alpha.1.crate

Then I built the package myself with cargo package on a clean v0.12.0-alpha.1 tag (2d255ed) checkout:
Result of cargo package:
$ sha256sum target/package/pgp-0.12.0-alpha.1.crate
9a2e6425096ef66c8f9b82ae1f00544d36690e59f3fd773107811decd729c24c target/package/pgp-0.12.0-alpha.1.crate

Here is the diffoscope pgp-0.12.0-alpha.1.crate rpgp/target/package/pgp-0.12.0-alpha.1.crate output:

--- pgp-0.12.0-alpha.1.crate
+++ rpgp/target/package/pgp-0.12.0-alpha.1.crate
├── pgp-0.12.0-alpha.1.crate-content
│ ├── file list
│ │ @@ -1,14 +1,14 @@
│ │  -rw-r--r--   0        0        0       94 1970-01-01 00:00:01.000000 pgp-0.12.0-alpha.1/.cargo_vcs_info.json
│ │  -rw-r--r--   0        0        0      129 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/.github/dependabot.yml
│ │  -rw-r--r--   0        0        0     7869 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/.github/workflows/ci.yml
│ │  -rw-r--r--   0        0        0       89 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/.gitignore
│ │  -rw-r--r--   0        0        0       87 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/.gitmodules
│ │  -rw-r--r--   0        0        0    44877 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/CHANGELOG.md
│ │ --rw-r--r--   0        0        0     4774 1970-01-01 00:00:01.000000 pgp-0.12.0-alpha.1/Cargo.toml
│ │ +-rw-r--r--   0        0        0     4771 1970-01-01 00:00:01.000000 pgp-0.12.0-alpha.1/Cargo.toml
│ │  -rw-r--r--   0        0        0     3050 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/Cargo.toml.orig
│ │  -rw-r--r--   0        0        0    10846 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/LICENSE-APACHE
│ │  -rw-r--r--   0        0        0     1022 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/LICENSE-MIT
│ │  -rw-r--r--   0        0        0      164 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/LICENSE.md
│ │  -rw-r--r--   0        0        0     1017 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/PLATFORMS.md
│ │  -rw-r--r--   0        0        0     4175 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/README.md
│ │  -rw-r--r--   0        0        0     1790 2006-07-24 01:21:28.000000 pgp-0.12.0-alpha.1/STATUS.md
│ ├── pgp-0.12.0-alpha.1/Cargo.toml
│ │ @@ -31,15 +31,15 @@
│ │      "email",
│ │  ]
│ │  license = "MIT OR Apache-2.0"
│ │  repository = "https://github.com/rpgp/rpgp"
│ │  resolver = "2"
│ │  
│ │  [profile.bench]
│ │ -debug = true
│ │ +debug = 2
│ │  
│ │  [dependencies.aes]
│ │  version = "^0.8"
│ │  
│ │  [dependencies.argon2]
│ │  version = "0.5"

I have not checked other versions, but I think we need a better crate build process that ensures crates are the same as what is in git.

[link2xt]

Same for 0.11.0:

$ diffoscope pgp-0.11.0.crate rpgp/target/package/pgp-0.11.0.crate 
--- pgp-0.11.0.crate
+++ rpgp/target/package/pgp-0.11.0.crate
├── pgp-0.11.0.crate-content
│ ├── file list
│ │ @@ -1,14 +1,14 @@
│ │  -rw-r--r--   0        0        0       94 1970-01-01 00:00:01.000000 pgp-0.11.0/.cargo_vcs_info.json
│ │  -rw-r--r--   0        0        0      129 2006-07-24 01:21:28.000000 pgp-0.11.0/.github/dependabot.yml
│ │  -rw-r--r--   0        0        0     7869 2006-07-24 01:21:28.000000 pgp-0.11.0/.github/workflows/ci.yml
│ │  -rw-r--r--   0        0        0       89 2006-07-24 01:21:28.000000 pgp-0.11.0/.gitignore
│ │  -rw-r--r--   0        0        0       87 2006-07-24 01:21:28.000000 pgp-0.11.0/.gitmodules
│ │  -rw-r--r--   0        0        0    42740 2006-07-24 01:21:28.000000 pgp-0.11.0/CHANGELOG.md
│ │ --rw-r--r--   0        0        0     4628 1970-01-01 00:00:01.000000 pgp-0.11.0/Cargo.toml
│ │ +-rw-r--r--   0        0        0     4625 1970-01-01 00:00:01.000000 pgp-0.11.0/Cargo.toml
│ │  -rw-r--r--   0        0        0     2961 2006-07-24 01:21:28.000000 pgp-0.11.0/Cargo.toml.orig
│ │  -rw-r--r--   0        0        0    10846 2006-07-24 01:21:28.000000 pgp-0.11.0/LICENSE-APACHE
│ │  -rw-r--r--   0        0        0     1022 2006-07-24 01:21:28.000000 pgp-0.11.0/LICENSE-MIT
│ │  -rw-r--r--   0        0        0      164 2006-07-24 01:21:28.000000 pgp-0.11.0/LICENSE.md
│ │  -rw-r--r--   0        0        0     1017 2006-07-24 01:21:28.000000 pgp-0.11.0/PLATFORMS.md
│ │  -rw-r--r--   0        0        0     4175 2006-07-24 01:21:28.000000 pgp-0.11.0/README.md
│ │  -rw-r--r--   0        0        0     1790 2006-07-24 01:21:28.000000 pgp-0.11.0/STATUS.md
│ ├── pgp-0.11.0/Cargo.toml
│ │ @@ -31,15 +31,15 @@
│ │      "email",
│ │  ]
│ │  license = "MIT OR Apache-2.0"
│ │  repository = "https://github.com/rpgp/rpgp"
│ │  resolver = "2"
│ │  
│ │  [profile.bench]
│ │ -debug = true
│ │ +debug = 2
│ │  
│ │  [dependencies.aes]
│ │  version = "^0.8"
│ │  
│ │  [dependencies.base64]
│ │  version = "^0.21.0"

[link2xt]

Not sure how to fix it, but we at least need RELEASE.md with the steps used to publish crates that ensure crates are built from a clean tree.

@dignifiedquire Did you use --allow-dirty when publishing or there was no warning?

[dignifiedquire]

@dignifiedquire Did you use --allow-dirty when publishing or there was no warning?

No I never publish with dirty

[dignifiedquire]

@link2xt it seems there is some normalization step happening on upload, adjusted the Cargo.toml to that. No idea if this is enough

[link2xt]

Yes, seems cargo moves original Cargo.toml to Cargo.toml.orig and does this normalization, but it is different depending on the cargo version used for publishing.