Warning when large binary files are included into the bundle

[mexus]

Describe the problem you are trying to solve

It seems like some crate authors do not ask cargo to exclude pictures/pdfs/other-blobs by providing an appropriate exclude = [ .. ] directive at their Cargo.tomls.

And it also seems like most of the time it is not intentional, it's more like developers might simply forget that anything that is not ignored by default gets packages into the published .crate file.

I'm not quite sure how common the situation is, though it might be happening quite often, since a deliberate action is required to exclude blobs from the package, and I wasn't able to find any advices to exclude "extra" files in the official guides.

Describe the solution you'd like
I suppose a warning when including binary large objects should do the trick, something like

[WARN] It might happen that you are unintentionally packaging a large binary object 'exapmles/drawing.bmp' (25 MB).
If it is intentional, you can turn off this warning by providing the `--allow-blobs` flag to the cargo.

Notes
It would be great if somebody's got an idea how to actually check the assumption that developers are unintentionally including extra blobs to their packages on crates.io. Currently I can only think of an article in the TWIR which explains the possible issue, but I'm looking for better ideas :)

[Eh2406]

There are many people that have downloaded all the crates and can get us a size by file type histogram.
Adding a comment about this to the instructions for publishing a crate would be great.
Adding a output line when running cargo publish that lists oddly large files, may help people notice this without changing our API and without making more work for those that are including them intentionally.

[mexus]

I know it's not that representative, but just for the reference, here's a distribution of binary files in my local /.cargo/registry/src/github.com-.. in log scale:

So in my case, most of the binary files are less than 100 KiB (but there's a significant amount of them though), but at I've also got at least a couple of files that are larger than 1 MiB. I also wonder how many of them have been included deliberately though 🤔

[weihanglo]

Note that with -Zlints we could have a configurable lint for Cargo to emit this warning.

[kornelski]

This should also complain about directories with CACHEDIR.TAG.

Cargo is smart enough not to package target/ dir in the default configuration, but inconsistent use of CARGO_TARGET_DIR can create copies of the target dirs that do get packaged.