Reproducible crates.io releases

[robo9k]

• I have searched the existing feature request issues for similar ones.

Is your feature request related to a problem? Please describe.
Reproducible builds make it easier to verify that a release has not been tampered with as part of supply chain security.

Describe the solution you'd like
The magic crate should follow best practices to make sure its crates.io releases are reproducible from their source.

This could be verified manually, e.g. with

• https://github.com/M4SS-Code/cargo-goggles
• https://lib.rs/~robo9k/dash

Describe alternatives you've considered
Do not invest additional effort and rely on e.g. release-plz only

Additional context
There have been various write-ups about the topic in general, some with analysis of the top N crates

• https://codeandbitters.com/published-crate-analysis/

[robo9k]

The lib.rs Dashboard is complaining:

README missing from crate tarball

Cargo sometimes fails to package the README file. Ensure the path to the README in Cargo.toml is valid, and points to a file inside the crate's directory.

[robo9k]

Using cargo-goggles we get the following:

$ cargo +1.77 new --bin mgc
$ cd mgc
$ cargo +1.77 add magic
$ cargo goggles

Downloading magic v0.16.2
Cloning https://github.com/robo9k/rust-magic.git
Packaging release magic v0.16.2
Package magic has file magic-0.16.2/README-crate.md in our release but not in crates.io tarball
Downloading magic-sys v0.3.0
Cloning https://github.com/robo9k/rust-magic-sys.git
Packaging release magic-sys v0.3.0
Package magic-sys has file magic-sys-0.3.0/Cargo.lock in our release but not in crates.io tarball

[robo9k]

Regarding the README, Cargo.toml contains the following:

readme = "README-crate.md"
include = [
	"/src/",
]

The Cargo reference https://doc.rust-lang.org/cargo/reference/manifest.html#the-readme-field isn't clear on whether include needs to include readme as well
This requires a new release and can not be fixed for previous versions.

The LICENSES/ files are not included either, but this is a separate topic.

---

Regarding Cargo.lock in magic-sys, this might be due to the age of that release. iirc older cargo versions did not publish the lock file.
This requires a new release and can not be fixed for previous versions.

[robo9k]

Older releases of both magic and magic-sys could be checked as well for things that can be fixed, e.g. adding Git tags for their versions.

[robo9k]

Downside of including a readme in the .crate is that it is not strictly required to use magic as a cargo dependency, but it will be downloaded every time (see "the lean crate" topic).

Arguably reproducibility tools should fetch this file from another crates.io endpoint, since the file does get stored in the registry.

While the readme can include code samples (with doctest), it is not part of the executable crate code.