As mentioned in this post in the original thread mentioned at the start here, there may be legitimate reasons for diffs between the .crate and VCS checkout. This includes:
- Git's
export-ignoreattribute that leaves files out of its archives - Git's
export-substthat does placeholder expansion when inserting content into the archive (note that things like short hashes can change over time as the default short hash length grows as the repository does or collisions appear) - I believe
cargoitself can ignore files either by configuration or behavior (Cargo.lockfor libraries?) - VCS filters like
git-lfsorgit-annexbeing present and active for a given checkout (I only install LFS hooks per-repo as needed…I hate being surprised with large file downloads on clone) - Submodules probably throw wrenches around here because why not
I can think of ways this can DoS crates.io (hi there, here's Chromium's repo…).