Reproducing crates published to

I have built a script that takes Cargo.lock, downloads crates listed there and tries to reproduce them: GitHub - link2xt/cargo-repack: Utility to test reproducibility of crates from Cargo.lock

It works by downloading the crate from, looking up the repository from Cargo.toml packaged inside and git revision from .cargo_vcs_info.json, then rebuilding the crate locally using cargo package.

It then compares built crate using to the one downloaded from and runs diffoscope if the result is different.

I ran it on GitHub - deltachat/deltachat-core-rust: Delta Chat Rust Core library, used by Android/iOS/desktop apps, bindings and bots 📧 and it managed to reproduce 523 out of 569 crates. Failures are mostly due to:

  1. Old crates that have been published with older versions of cargo and have different format of .cargo_vcs_info.json.
  2. Publishing from a dirty worktree.
  3. Publishing from a commit that is not pushed to the repository afterwards.

I think Rust does not discourage --allow-dirty flag or even suggests it when worktree is dirty. The result is that a lot of developers publish crates that are slightly different from the repository, e.g. have different Cargo.lock or debug settings locally modified in Cargo.toml like in pgp-0.12.0-alpha.1 crate is published with modified Cargo.toml · Issue #327 · rpgp/rpgp · GitHub

If you publish crates to, make sure you always publish from a clean worktree.

I would also like to modify the way I build crates in a reproducible way, e.g. by running cargo package inside Nix, but then there is apparently no way to upload built package to afterwards with another command.


I see the same topic on zulipchat lately.

now Im dreaming of a system that automatically checks that the sources there are actually the same as in the crate file, and adds a little warning icon on if they are not :slight_smile:

yeah, that is a long-term goal. I think Walter Pearce or Adam Harvey (LawnGnome) have already prototyped something like that for eventual inclusion in

src: Link to where the sources of a crate are located in git

GitHub - M4SS-Code/cargo-goggles: Verify that registry crates in your Cargo.lock are reproducible from the git repository now also exists since a couple of hours ago.


Just wanted to post it here, I will likely switch to contributing to it and deprecate my own tool. cargo-goggles also looks for a tag and compares file contents instead of trying to reproduce the whole .crate file which seems to be impossible if Cargo.lock is slightly outdated and cargo wants to regenerate it.

1 Like