-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: build-style/cargo: produce auditable binaries #40272
RFC: build-style/cargo: produce auditable binaries #40272
Conversation
I like this, once the bootstrapping issue is solved and a cargo-world rebuild is tried (I can do this), I'd be happy to merge |
ef7c450
to
7ae095e
Compare
After some discussion on IRC, I've decided on a second bootstrap package. I've built a few things locally and it does work as expected for me, but I don't have the resources to do a world rebuild right now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think the cargo-auditable{,-bootstrap} changes should be their own commits
cb47dfc
to
f4ae30d
Compare
To make sure this isn't lost to the IRC backlock: I've rebuilt all 173 packages that use the cargo build style, and except for |
f4ae30d
to
f51f89d
Compare
f51f89d
to
454b3b9
Compare
Testing the changes
In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.
This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.
An example for how usage could look like:
This shows me that the only auditable rust binary depending on tokio on my
system right now is
sq
, and with different jq filters I can get out any infoI might need.