Discrepancy between index and crate metadata not reported

[Jake-Shadle]

Problem

Cargo does not report/warn/error when there is a discrepancy between the crate metadata located in the index, and the actual metadata of the crate package when downloaded from a registry.

When investigating EmbarkStudios/krates#46 I encountered a crate, specifically conv v0.3.3, where the index entry differs from the crate's manifest when downloaded from crates.io.

Index entry

$HOME/.cargo/registry/index/github.com-1ecc6299db9ec823/.cache/co/nv/conv

{
  "name": "conv",
  "vers": "0.3.3",
  "deps": [
    {
      "name": "custom_derive",
      "req": "^0.1.5",
      "features": [],
      "optional": false,
      "default_features": false,
      "target": null,
      "kind": "normal"
    },
    {
      "name": "winapi",
      "req": "< 0.2.6",
      "features": [],
      "optional": false,
      "default_features": true,
      "target": null,
      "kind": "dev"
    },
    {
      "name": "quickcheck",
      "req": "^0.2.21, < 0.2.25",
      "features": [],
      "optional": false,
      "default_features": true,
      "target": null,
      "kind": "dev"
    }
  ],
  "cksum": "78ff10625fd0ac447827aa30ea8b861fead473bb60aeb73af6c1c58caf0d1299",
  "features": {
    "std": [
      "custom_derive/std"
    ],
    "default": [
      "std"
    ]
  },
  "yanked": false
}

Package source

$HOME/.cargo/registry/src/github.com-1ecc6299db9ec823/conv-0.3.3/Cargo.toml

[package]
name = "conv"
version = "0.3.3"
authors = ["Daniel Keep <daniel.keep@gmail.com>"]

description = "This crate provides a number of conversion traits with more specific semantics than those provided by 'as' or 'From'/'Into'."
repository = "https://github.com/DanielKeep/rust-conv"
documentation = "https://danielkeep.github.io/rust-conv/doc/conv/index.html"
readme = "README.md"
license = "MIT"
keywords = ["from", "into", "conversion", "approximation"]

exclude = [
    "scripts/*",
    "update-docs.py",
]

[dependencies]
custom_derive = "0.1.2"

[dev-dependencies]
quickcheck = "0.2.21, < 0.2.25"

Note that in the index entry, there are 2 features, default and std, but in the package source, those features don't exist, and indeed, when looking at the commit history the source repository, this commit is possibly the one that was actually published as the 0.3.4 version.

If we generate the cargo metadata for this crate, we see the discrepancies more clearly. (note that I snipped the targets field for brevity)

{
  "packages": [
    {
      "name": "conv",
      "version": "0.3.3",
      "id": "conv 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
      "license": "MIT",
      "license_file": null,
      "description": "This crate provides a number of conversion traits with more specific semantics than those provided by 'as' or 'From'/'Into'.",
      "source": "registry+https://github.com/rust-lang/crates.io-index",
      "dependencies": [
          {
              "name": "custom_derive",
              "source": "registry+https://github.com/rust-lang/crates.io-index",
              "req": "^0.1.2",
              "kind": null,
              "rename": null,
              "optional": false,
              "uses_default_features": true,
              "features": [],
              "target": null,
              "registry": null
          },
          {
              "name": "quickcheck",
              "source": "registry+https://github.com/rust-lang/crates.io-index",
              "req": "^0.2.21, <0.2.25",
              "kind": "dev",
              "rename": null,
              "optional": false,
              "uses_default_features": true,
              "features": [],
              "target": null,
              "registry": null
          }
      ],
      "targets": [
        
      ],
      "features": {},
      "manifest_path": "$HOME/.cargo/registry/src/github.com-1ecc6299db9ec823/conv-0.3.3/Cargo.toml",
      "metadata": null,
      "publish": null,
      "authors": [
          "Daniel Keep <daniel.keep@gmail.com>"
      ],
      "categories": [],
      "keywords": [
          "from",
          "into",
          "conversion",
          "approximation"
      ],
      "readme": "README.md",
      "repository": "https://github.com/DanielKeep/rust-conv",
      "homepage": null,
      "documentation": "https://danielkeep.github.io/rust-conv/doc/conv/index.html",
      "edition": "2015",
      "links": null,
      "default_run": null,
      "rust_version": null
    }
  ],
  "resolve": {
    "nodes": [
      {
        "id": "conv 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
        "dependencies": [
            "custom_derive 0.1.7 (registry+https://github.com/rust-lang/crates.io-index)"
        ],
        "deps": [
            {
                "name": "custom_derive",
                "pkg": "custom_derive 0.1.7 (registry+https://github.com/rust-lang/crates.io-index)",
                "dep_kinds": [
                    {
                        "kind": null,
                        "target": null
                    }
                ]
            }
        ],
        "features": [
            "default",
            "std"
        ]
      }
    ]
  }
}

The most obvious is that while the resolved node has the default and std features enabled in the resolved node, the actual features map in the package metadata is empty, presumably because while the features are resolved via the index entry, the package metadata is read from the crate source entirely. This also accounts for why the winapi crate, which is in the index entry, isn't shown as a dev dependency in the package metadata.

I believe this shows there is (or was?) a bug in cargo publish where such a situation was allowed to happen, I don't know how exactly the index and the crate package could disagree like this, but considering conv 0.3.3 was published "over 6 years ago" it's possible (likely?!) this faulty publish behavior has been fixed at some point.

Steps

1. cargo init weird
2. cd weird
3. cargo add conv
4. cargo metadata --format-version 1 > md.json

Possible Solution(s)

The obvious solution for this particular case would be to fix the crate package in crates.io for the conv crate, but I am assuming that if there is one crate like this in the crates.io registry, there are probably more, hence the request for some kind of warning message or something from cargo to indicate that something is amiss.

Notes

I'm reporting this to cargo since to me this kind of conflict should be reported by cargo to the user in some way, and indicates at least a previous bug in cargo publish, but feel free to move this to crates.io or wherever makes the most sense.

Version

cargo 1.64.0 (387270bc7 2022-09-16)
release: 1.64.0
commit-hash: 387270bc7f446d17869c7f208207c73231d6a252
commit-date: 2022-09-16
host: x86_64-unknown-linux-gnu
libgit2: 1.4.2 (sys:0.14.2 vendored)
libcurl: 7.83.1-DEV (sys:0.4.55+curl-7.83.1 vendored ssl:OpenSSL/1.1.1q)
os: EndeavourOS Rolling Release (rolling) [64-bit]