Add actual git repository for source

[ctron]

The Source information only contains the information what kind of repository/registry was used.

This is enough in the case of a dependency from crates.io, but especially for a git dependency, this could mean anything, and doesn't really provide any value IMHO.

Unless of course, the actual repository information (like the git repository + revision) would be available too.

I know this would increase the size of the metadata. However, I also think it would provide quite some value. And, this would only be the case of one would use dependencies from git anyway.

[Shnatsel]

The repository URL is deliberately redacted because of privacy concerns raised in the RFC: rust-lang/rfcs#2801

However, we could and probably should include commit hashes for dependencies from git.

[ctron]

Hm, that's a good point indeed.

I guess it depends on ones use case. Adding commit hashes shouldn't be a problem I guess. But would improve the situation.

[ctron]

Just a thought that just crossed my mind. Why not allow both? If a user has not problem with "leaking" this information, this it can be added. Otherwise, it will be redacted using a hash as you suggested.

So the choice is to the person verifying the information if this is good enough or not.

[Shnatsel]

Including git repo URLs causes privacy issues, but I've opened #122 to track including commit hashes.