Impossible to address warning in the Maintainer Dashboard
The maintainer dashboard of lib.rs contains a new warning
The Cargo package has no git commit information
Before publishing a package, make sure all packaged files are committed to the repository, and there are no "dirty" files. Push this commit to crate's public repository.
To protect against supply chain attacks similar to CVE-2024-3094, lib.rs will soon start flagging non-reproducible packages without public source code as suspicious. Currently only git repositories are supported (but may be hosted anywhere, not just GitHub). If you'd like a different SCM supported, please file a feature request.
While I totally understand why this is an important feature, I do not see a way to address this warning for crates that I maintain as it's just not possible due to limitations in cargo.
Consider the following case: https://lib.rs/~sgrif/dash emitting this warning for diesel-derives
. Cargo requires that all dependencies of a package are published before publishing the crate itself. That includes dev-dependencies. For diesel-derives
that means we would need to publish diesel
as it's a dev-dependency for diesel-derives
: https://github.com/diesel-rs/diesel/blob/d3cd0afdadd67416a97759fb7ad0c5ec987b0556/diesel_derives/Cargo.toml#L25-L27 (because it's used in the tests). Notably it's only used in the tests
directory, which is explicitly excluded from the published build: https://github.com/diesel-rs/diesel/blob/d3cd0afdadd67416a97759fb7ad0c5ec987b0556/diesel_derives/Cargo.toml#L10. Now you could argue: "Just publish diesel
first", but that also doesn't work because diesel
depends on diesel_derives
, because it's used internally. Given this setup I see no way to actually satisfy this requirement, especially if I want to be able to run the CI tests on the same commit as the published version.