There's a merged pull request on the void-packages repository

RFC: build-style/cargo: produce auditable binaries
https://github.com/void-linux/void-packages/pull/40272

Description:
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"
```

This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.