Request: provide the Cargo.lock file

[dbermond]

Please consider providing the Cargo.lock file. This file is important, from a packaging point of view, for making reproducible builds.

Without the lockfile, a given version of this project cannot be reproducible over time, as the dependencies will get updated. Using a lockfile with the --locked option in cargo commands (like cargo build) will ensure that the dependencies will not be updated, allowing the build to be reproducible. It can also prevent possible build problems when a dependency is updated.

As far as I'm aware, the lockfile can be automatically generated by GitHub actions when tagging a release (in the case that it's considered too much inconvenient to be carried in the source tree).

A quote from the cargo install documentation better explains the importance of the lockfile:

The --locked flag can be used to force Cargo to use the packaged Cargo.lock file if it is available. This may be useful for ensuring reproducible builds, to use the exact same set of dependencies that were available when the package was published. It may also be useful if a newer version of a dependency is published that no longer builds on your system, or has other problems.

[vosen]

Done as of #206