> An oft brought-up issue is that the code on crates.io and in Git don’t always match.

I don't understand why this is the case. Imo it should be a basic expectation, that a given package is built from a frozen, dedicated git commit (represented by hash), and a likewise frozen build script. The build should be deterministic, so that the end result should be hashed, and the build script ran by some trusted vendor (maybe github), and the end result hashed.

If there's any doubt about the integrity of a package, the above process can be repeated, and the artifacts checked against a known hash.

This would make builds fully auditable.