Add actual git repository for source

Question

Add actual git repository for source

ctron opened this issue 2 years ago · 4 comments

The Source information only contains the information what kind of repository/registry was used.

This is enough in the case of a dependency from crates.io, but especially for a git dependency, this could mean anything, and doesn't really provide any value IMHO.

Unless of course, the actual repository information (like the git repository + revision) would be available too.

I know this would increase the size of the metadata. However, I also think it would provide quite some value. And, this would only be the case of one would use dependencies from git anyway.

Answer 1 · 2023-01-10T12:50:08.000Z

The repository URL is deliberately redacted because of privacy concerns raised in the RFC: rust-lang/rfcs#2801

However, we could and probably should include commit hashes for dependencies from git.

Answer 2 · 2023-01-11T14:08:35.000Z

Hm, that's a good point indeed.

I guess it depends on ones use case. Adding commit hashes shouldn't be a problem I guess. But would improve the situation.

Answer 3 · 2023-01-12T09:40:53.000Z

Just a thought that just crossed my mind. Why not allow both? If a user has not problem with "leaking" this information, this it can be added. Otherwise, it will be redacted using a hash as you suggested.

So the choice is to the person verifying the information if this is good enough or not.

Answer 4 · 2023-05-12T12:21:04.000Z

Including git repo URLs causes privacy issues, but I've opened #122 to track including commit hashes.