Currently, the README says the following:

By default, the crate statically links with the latest BoringSSL master branch.

After reviewing the code, I think this is a bit misleading. By default, the crate statically links with a pinned version of boringssl, currently set to google/boringssl@f1c7534 .

I think it'd be valuable to make this clearer in the README. After reading the current README, I initially thought it was dynamically fetching the latest version of boringssl in its build.rs. In fact, there is a call to git submodule in a build.rs, but it seems to only run when depending on boring via git!

It'd be nice to have a few lines in the README clearly spelling out that, by default, the crate pins a specific boringssl version (and thus doesn't break reproducibility).

Yes, sounds like a good improvement :) happy to take a PR.