Cargo isn't consistent wrt "automatic" files and vendoring

[glandium]

Say you have a crate vendored. That crate doesn't have a build script. Now, there are two ways to add a build script. One involves adding an entry to Cargo.toml, which fails because of the checksum change in Cargo.toml, and another is to just add a build.rs file.

The latter silently succeeds (and yes, the build script is built and run).

Or is silently ignored if the crate was already built thanks to #5805.

[glandium]

Also, because of #5805, further changes to build.rs are ignored once it's built the first time.

Cc: @alexcrichton

[alexcrichton]

Yeah this isn't a great feature, but the checksum file is largely intended to be a roadblock to modifying vendored crates (instead nudging towards the correct way of doing so, [patch] and path dependencies). It wasn't ever designed to be a bulletproof solution

[0Grit]

@alexcrichton Is there a command that can validate the checksum of vendored git based crates?

[alexcrichton]

Not currently, no, only registry crates have a checksum to verify

[epage]

Something I've been considering is to evaluate all package.auto* variables during publish which should also include changing an implicit build.rs to an explicit package.build field. This would mean dropping files into a vendored registry package should have no effect, making things consistent and getting us closer the checksum encompassing everything.