(In reply to David Disseldorp from comment #3) > The bcachefs-tools release script > https://evilpiepirate.org/git/bcachefs-tools.git/tree/make-release-tarball. > sh?h=v1.4.1#n31 publishes a signed source tarball with all cargo crate > dependencies vendored to https://evilpiepirate.org/bcachefs-tools/ . > I think the "easiest" way forward here would be to use that > bcachefs-tools-vendored tarball (with signature) in the Factory package. Following discussions with some Rust packagers, it seems that we might be better off using https://github.com/openSUSE/obs-service-cargo_vendor locally to do the vendoring, to ensure that its integrated crate-audit functionality is used.