From: classabbyamp <classabbyamp@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Merged]: RFC: build-style/cargo: produce auditable binaries
Date: Thu, 03 Nov 2022 08:50:14 +0100 [thread overview]
Message-ID: <20221103075014.tUqhLzR-lgKvsi6vM5NZAa6dil_RFVq_XbdNkzwgMSs@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-40272@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1448 bytes --]
There's a merged pull request on the void-packages repository
RFC: build-style/cargo: produce auditable binaries
https://github.com/void-linux/void-packages/pull/40272
Description:
<!-- Uncomment relevant sections and delete options which are not applicable -->
#### Testing the changes
- I tested the changes in this PR: **YES**
In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.
This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.
An example for how usage could look like:
```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
✔ Indexed /usr/bin
✔ Cataloged packages [1905 packages]
"sq"
```
This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.
prev parent reply other threads:[~2022-11-03 7:50 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-40272@inbox.vuxu.org>
2022-11-01 18:09 ` [PR REVIEW] " jcgruenhage
2022-11-01 18:34 ` classabbyamp
2022-11-01 19:37 ` [PR PATCH] [Updated] " jcgruenhage
2022-11-01 19:40 ` jcgruenhage
2022-11-01 20:23 ` [PR REVIEW] " classabbyamp
2022-11-01 20:23 ` classabbyamp
2022-11-01 21:37 ` jcgruenhage
2022-11-01 21:38 ` jcgruenhage
2022-11-01 21:46 ` [PR PATCH] [Updated] " jcgruenhage
2022-11-01 21:55 ` jcgruenhage
2022-11-01 21:56 ` [PR REVIEW] " jcgruenhage
2022-11-01 22:05 ` jcgruenhage
2022-11-01 22:34 ` [PR REVIEW] " classabbyamp
2022-11-01 22:39 ` jcgruenhage
2022-11-01 22:39 ` [PR PATCH] [Updated] " jcgruenhage
2022-11-01 22:46 ` [PR REVIEW] " paper42
2022-11-01 22:50 ` classabbyamp
2022-11-01 23:06 ` paper42
2022-11-01 23:19 ` classabbyamp
2022-11-02 5:46 ` [PR PATCH] [Updated] " jcgruenhage
2022-11-02 5:46 ` [PR REVIEW] " jcgruenhage
2022-11-03 7:50 ` classabbyamp [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221103075014.tUqhLzR-lgKvsi6vM5NZAa6dil_RFVq_XbdNkzwgMSs@z \
--to=classabbyamp@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).