I mean that the referenced package could be anything. I feel like guix should somehow verify that the referenced package was built from the source specified in the cargo.toml.
Also, it does not check the version. If the main package changed to depend on a newer version, the suggested more of creating a package definition would allow one to build the new package using the outdated dependency. Anywhere I can read about antioxidant? -Jonathan
