Description
Problem
Some licenses (most notably, the MIT and Apache-2.0 licenses, which are most commonly chosen for crates) require that redistributed sources contain a copy of the actual license text. In most cases, this is solved by, for example, including LICENSE-MIT and LICENSE-Apache files in the crate's git repository, and have cargo include them in packaged / published crates.
However, there is a non-trivial amount of crates that are redistributed on crates.io that are not compliant with this license requirement, as they don't include any license texts. This is also a big problem when building Rust packages for linux distributions, where compliance with license terms is one of the main hurdles a new package has to take before being included.
Another problem is workspace crates, where the license crates are only included in the root of the project's git repository, but not symlinked into workspace members, so they also don't get included in published crates.
A different problem altogether is people using wrong include or exclude statements, which result in important files not getting included in published crates (like license files).
Some crates use "creative" names for their license files, which is also sometimes problematic. Standardizing LICENSE-Foo file names as the expected format would help here, too.
Proposed Solution
It should be safe to require a license file for all SPDX identifiers (?), whether the terms of those licenses require redistributed sources to contain the license text or not.
In this case, parsing the "license" key from Cargo.toml's [package] section into individual licenses (SPDX has a simple grammar), and then checking if LICENSE-Foo files for all licenses are present in the directory created by cargo package should work.
For crates that use a license-file, presence of that file could be checked instead.
TL;DR: cargo can parse the [package] license = "foo" key from Cargo.toml and check whether the expected license files are present in packaged crates. If they are not, it should either warn, or maybe even error out before uploading sources to crates.io. I assume that should also make the operators of crates.io website and service happy, since redistributing source code without license compliance is not a good idea.
Notes
No response