> This is enough information to uniquely identify source code from crates.io, because the registry is append only (no changes to already-published packages are allowed).