Description
The cargo package step now requires that the source tree is clean (has no uncommitted changes).
The automating of git tag on release is proposed in #841 with some WIP.
As (previously) proposed, recording the git hash is compatible with these and would be immediately useful. In a comment on #2640 @alexcrichton suggests that "we could record the SHA" after ensuring a commit is published, etc. But I don't think it is necessary to ensure that a commit is pushed to its canonical repo in order for the SHA hash to be useful.
For example, there's a crate with 30K downloads where the author doesn't bother with a change log or even release tags. With best efforts, manually created release tags are sometimes forgotten or delayed, raising the question of what was the commit that was released. Even with #841 in place, a recorded hash would be reassuring. Tags can be changed. It may not be practical to automatically push tags, given workflow differences.
Utility:
-
If a SHA hash can be extracted (or seen on crates.io) and it matches a signed git tag in the canonical repository, that is very reassuring. A+!
-
Otherwise if it disagrees with (any) tag, but matches a plausible commit in the canonical tree, then that is at least somewhat reassuring, and possibly worth followup with the author.
-
If it doesn't match any commit in the canonical repo, that's a definite warning flag, and I have a starting point to followup with the author.
Eventually something like crates.io (and/or deps.rs) could actually automate the comparison of the SHA hash with a commit/tag in the canonical repo, warning if there is any disparity. This woundn't obviate the need for other forms of security, like rust-lang/crates.io#75, but it would be complementary.