Re: [PR PATCH] [Updated] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage <jcgruenhage@users.noreply.github.com>]

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

There is an updated pull request by jcgruenhage against master on the void-packages repository

https://github.com/jcgruenhage/void-packages auditable-rust-binaries
https://github.com/void-linux/void-packages/pull/40272

RFC: build-style/cargo: produce auditable binaries
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"
```

This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.


A patch file from https://github.com/void-linux/void-packages/pull/40272.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-auditable-rust-binaries-40272.patch --]
[-- Type: text/x-diff, Size: 4279 bytes --]

From c32034ab750ebe36a20a79764e905d249460dcd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:27:17 +0100
Subject: [PATCH 1/3] New package: cargo-auditable-bootstrap-0.5.2

---
 srcpkgs/cargo-auditable-bootstrap/template | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 srcpkgs/cargo-auditable-bootstrap/template

diff --git a/srcpkgs/cargo-auditable-bootstrap/template b/srcpkgs/cargo-auditable-bootstrap/template
new file mode 100644
index 000000000000..21ec5a7f966c
--- /dev/null
+++ b/srcpkgs/cargo-auditable-bootstrap/template
@@ -0,0 +1,20 @@
+# Template file for 'cargo-auditable-bootstrap'
+# Keep synced with cargo-auditable
+pkgname=cargo-auditable-bootstrap
+version=0.5.2
+revision=1
+wrksrc=cargo-auditable-${version}
+build_wrksrc=cargo-auditable
+build_style=cargo
+# Required for bootstrapping purposes
+make_cmd=cargo
+short_desc="Bootstrap package for cargo-auditable"
+maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
+license="MIT,Apache-2.0"
+homepage="https://github.com/rust-secure-code/cargo-auditable"
+distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
+checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+
+post_install() {
+	vlicense ../LICENSE-MIT
+}

From 59272778ca7de242eb5a74e2af6e2d582c882bcc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:28:16 +0100
Subject: [PATCH 2/3] cargo-auditable: depend and conflict on bootstrap package

---
 srcpkgs/cargo-auditable/template | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/cargo-auditable/template b/srcpkgs/cargo-auditable/template
index 0f95e6dc4d65..642e02a534cd 100644
--- a/srcpkgs/cargo-auditable/template
+++ b/srcpkgs/cargo-auditable/template
@@ -1,15 +1,18 @@
 # Template file for 'cargo-auditable'
+# Keep synced with cargo-auditable-bootstrap
 pkgname=cargo-auditable
 version=0.5.2
-revision=1
+revision=2
 build_wrksrc=cargo-auditable
 build_style=cargo
+hostmakedepends="cargo-auditable-bootstrap"
 short_desc="Tool for embedding dependency information in rust binaries"
 maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
 license="MIT,Apache-2.0"
 homepage="https://github.com/rust-secure-code/cargo-auditable"
 distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
 checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+conflicts=cargo-auditable-bootstrap
 
 post_install() {
 	vlicense ../LICENSE-MIT

From 454b3b9338283ed56c413dde0a86ff2a2512acb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:29:59 +0100
Subject: [PATCH 3/3] build-style/cargo: produce auditable binaries

---
 common/build-style/cargo.sh             | 6 +++---
 common/environment/build-style/cargo.sh | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/common/build-style/cargo.sh b/common/build-style/cargo.sh
index 4c456394df5b..387e711060bc 100644
--- a/common/build-style/cargo.sh
+++ b/common/build-style/cargo.sh
@@ -3,20 +3,20 @@
 #
 
 do_build() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_cmd} build --release --target ${RUST_TARGET} ${configure_args}
 }
 
 do_check() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_check_pre} ${make_cmd} test --release --target ${RUST_TARGET} ${configure_args} \
 		${make_check_args}
 }
 
 do_install() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 	: ${make_install_args:=--path .}
 
 	${make_cmd} install --target ${RUST_TARGET} --root="${DESTDIR}/usr" \
diff --git a/common/environment/build-style/cargo.sh b/common/environment/build-style/cargo.sh
index c7c9863a055f..473750c7a359 100644
--- a/common/environment/build-style/cargo.sh
+++ b/common/environment/build-style/cargo.sh
@@ -1,5 +1,9 @@
 hostmakedepends+=" cargo"
 
+if ! [[ "$pkgname" =~ ^cargo-auditable(-bootstrap)?$ ]]; then
+	hostmakedepends+=" cargo-auditable"
+fi
+
 if [ "$CROSS_BUILD" ]; then
 	makedepends+=" rust-std"
 fi