Problematic file permissions in crates.io tar archive

[wentasah]

Files in the tar archive at crates.io lack read permissions for other users (chmod o+r). This can be demonstrated by running these commands:

$ curl -L https://crates.io/api/v1/crates/pin-utils/0.1.0/download | tar xz
$ ls -lR pin-utils-0.1.0                                                                                                                                                                                                                                  
pin-utils-0.1.0:
total 28
-rw-r--r-- 1 wsh wsh   835 Jan  1  1970 Cargo.toml
-rw-r----- 1 wsh wsh   314 Apr 22  2020 Cargo.toml.orig
-rw-r----- 1 wsh wsh 10841 Apr 22  2020 LICENSE-APACHE
-rw-r----- 1 wsh wsh  1065 Apr 22  2020 LICENSE-MIT
-rw-r----- 1 wsh wsh  1079 Apr 22  2020 README.md
drwxr-xr-x 1 wsh wsh    62 Oct  8 07:26 src
drwxr-xr-x 1 wsh wsh    50 Oct  8 07:26 tests

pin-utils-0.1.0/src:
total 12
-rw-r----- 1 wsh wsh  326 Apr 22  2020 lib.rs
-rw-r----- 1 wsh wsh 2665 Apr 22  2020 projection.rs
-rw-r----- 1 wsh wsh  633 Apr 22  2020 stack_pin.rs

pin-utils-0.1.0/tests:
total 8
-rw-r----- 1 wsh wsh 564 Apr 22  2020 projection.rs
-rw-r----- 1 wsh wsh 376 Apr 22  2020 stack_pin.rs

This is problematic when one uses cargo prefetch to prefetch the crates and then runs builds as another user. Such builds end up with the following error:

error: couldn't read /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/pin-utils-0.1.0/src/lib.rs: Permission denied (os error 13)

[taiki-e]

This seems a cargo bug. Could you open an issue in rust-lang/cargo?

[wentasah]

Right. It seems this bug is already known for six years :-( Another similar issue is even older. I'll add comment there.

[taiki-e]

Closing in favor of cargo issue.