crate source verification

[matthiaskrgr]

It would be interesting if cargo-cache could find local extracted sources that differ from the contents of the respective .xz /.crate archives.

EDIT: idea dump:

• git fsck all git repos (already implemented: --fsck) todo: parallelize
• check extracted sources for mismatching sizes (already implemented)
• read all the .crate archives and make sure they are ok (not sure if this is needed since cargo would complain anyway I guess..?)
• check git repo checkouts for added/missing/edited files
• check extracted crate sources content (probably expensive, need extract every .crate into a temp dir and compare hash sums / diffs of files, there might also be a ton of unexpected problems)

[matthiaskrgr]

might get away with checking if any files contained inside the extracted sources are newer than downloaded source archive (.crate)

[matthiaskrgr]

compare in-zip file against local source cache

https://rust-lang-nursery.github.io/rust-cookbook/compression/tar.html

use flate2::read::GzDecoder;
use std::fs::File;
use tar::Archive;

fn main() -> Result<(), std::io::Error> {
    let path = "datetime-0.5.2.crate";

    let tar_gz = File::open(path)?;
    let tar = GzDecoder::new(tar_gz);
    let mut archive = Archive::new(tar);

    let files = archive.entries()?;

    files.into_iter().for_each(|f| {
        let file = f.unwrap();
        // println!("{}", file.path().unwrap().display());
        // println!("{:?}", file.header());
        // print the file name and the size
        println!("{}, {} bytes", file.path().unwrap().display(), file.size());
    });

    Ok(())
}

[matthiaskrgr]

For the git source, we can go into checkouts, for instance: ~/.cargo/git/checkouts/druid-f6980810fb848923/c42de0b
and check with git-status / git diff

[matthiaskrgr]

still missing: git checkout verification, check something like
git status --porcelain also handle what happens if we have checkout but no repo?