RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

Testing the changes

• I tested the changes in this PR: YES

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"

This shows me that the only auditable rust binary depending on tokio on my
system right now is sq, and with different jq filters I can get out any info
I might need.

[classabbyamp]

I like this, once the bootstrapping issue is solved and a cargo-world rebuild is tried (I can do this), I'd be happy to merge

[jcgruenhage]

After some discussion on IRC, I've decided on a second bootstrap package. I've built a few things locally and it does work as expected for me, but I don't have the resources to do a world rebuild right now

[classabbyamp]

i think the cargo-auditable{,-bootstrap} changes should be their own commits

[jcgruenhage]

To make sure this isn't lost to the IRC backlock: I've rebuilt all 173 packages that use the cargo build style, and except for racer and signal-backup-decode, for which compilation failed, and eva which has a checksum issue (see #40280), they were all built successfully.