Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 417 bytes --]

New review comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010749077

Comment:
We can either build cargo-auditable twice in the package and do magic PATH fuckery, or we could have a cargo-auditable-bootstrap package which mirrors the regular cargo-auditable package, with the only addition of having a `make_cmd=cargo`. Either feels a bit icky.

Re: RFC: build-style/cargo: produce auditable binaries

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 272 bytes --]

New comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#issuecomment-1298945835

Comment:
I like this, once the bootstrapping issue is solved and a cargo-world rebuild is tried (I can do this), I'd be happy to merge

Re: [PR PATCH] [Updated] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

There is an updated pull request by jcgruenhage against master on the void-packages repository

https://github.com/jcgruenhage/void-packages auditable-rust-binaries
https://github.com/void-linux/void-packages/pull/40272

RFC: build-style/cargo: produce auditable binaries
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"
```

This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.


A patch file from https://github.com/void-linux/void-packages/pull/40272.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-auditable-rust-binaries-40272.patch --]
[-- Type: text/x-diff, Size: 3641 bytes --]

From 7ae095e8119337a2f09ab4f48da75110742fccfc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 18:40:18 +0100
Subject: [PATCH] build-style/cargo: produce auditable binaries

---
 common/build-style/cargo.sh                |  6 +++---
 common/environment/build-style/cargo.sh    |  4 ++++
 srcpkgs/cargo-auditable-bootstrap/template | 21 +++++++++++++++++++++
 srcpkgs/cargo-auditable/template           |  8 ++++++++
 4 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/cargo-auditable-bootstrap/template

diff --git a/common/build-style/cargo.sh b/common/build-style/cargo.sh
index 4c456394df5b..387e711060bc 100644
--- a/common/build-style/cargo.sh
+++ b/common/build-style/cargo.sh
@@ -3,20 +3,20 @@
 #
 
 do_build() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_cmd} build --release --target ${RUST_TARGET} ${configure_args}
 }
 
 do_check() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_check_pre} ${make_cmd} test --release --target ${RUST_TARGET} ${configure_args} \
 		${make_check_args}
 }
 
 do_install() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 	: ${make_install_args:=--path .}
 
 	${make_cmd} install --target ${RUST_TARGET} --root="${DESTDIR}/usr" \
diff --git a/common/environment/build-style/cargo.sh b/common/environment/build-style/cargo.sh
index c7c9863a055f..15f508651629 100644
--- a/common/environment/build-style/cargo.sh
+++ b/common/environment/build-style/cargo.sh
@@ -1,5 +1,9 @@
 hostmakedepends+=" cargo"
 
+if [ "$pkgname" != "cargo-auditable" ] && [ "$pkgname" != "cargo-auditable-bootstrap" ]; then
+	hostmakedepends+=" cargo-auditable"
+fi
+
 if [ "$CROSS_BUILD" ]; then
 	makedepends+=" rust-std"
 fi
diff --git a/srcpkgs/cargo-auditable-bootstrap/template b/srcpkgs/cargo-auditable-bootstrap/template
new file mode 100644
index 000000000000..7658e1390f9b
--- /dev/null
+++ b/srcpkgs/cargo-auditable-bootstrap/template
@@ -0,0 +1,21 @@
+# Template file for 'cargo-auditable-bootstrap'
+# Keep synced with cargo-auditable
+pkgname=cargo-auditable-bootstrap
+version=0.5.2
+revision=1
+wrksrc=cargo-auditable-${version}
+build_wrksrc=cargo-auditable
+build_style=cargo
+# Required for bootstrapping purposes
+make_cmd=cargo
+short_desc="Bootstrap package for cargo-auditable"
+maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
+license="MIT,Apache-2.0"
+homepage="https://github.com/rust-secure-code/cargo-auditable"
+distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
+checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+conflicts=cargo-auditable-bootstrap
+
+post_install() {
+	vlicense ../LICENSE-MIT
+}
diff --git a/srcpkgs/cargo-auditable/template b/srcpkgs/cargo-auditable/template
index 0f95e6dc4d65..86f481e93ccf 100644
--- a/srcpkgs/cargo-auditable/template
+++ b/srcpkgs/cargo-auditable/template
@@ -1,4 +1,5 @@
 # Template file for 'cargo-auditable'
+# Keep synced with cargo-auditable-bootstrap
 pkgname=cargo-auditable
 version=0.5.2
 revision=1
@@ -10,6 +11,13 @@ license="MIT,Apache-2.0"
 homepage="https://github.com/rust-secure-code/cargo-auditable"
 distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
 checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+conflicts=cargo-auditable-bootstrap
+
+if [ "$CROSS_BUILD" ]; then
+	hostmakedepends="cargo-auditable"
+else
+	hostmakedepends="cargo-auditable-bootstrap"
+fi
 
 post_install() {
 	vlicense ../LICENSE-MIT

Re: RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 351 bytes --]

New comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#issuecomment-1299023284

Comment:
After some discussion on IRC, I've decided on a second bootstrap package. I've built a few things locally and it does work as expected for me, but I don't have the resources to do a world rebuild right now

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 248 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010835835

Comment:
```suggestion
if ! [[ "$pkgname" =~ /^cargo-auditable/ ]]; then
```
bashism is a bit shorter

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 247 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010833995

Comment:
conflicts only needs to be specified on one package, and i think this one is backwards anyways

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 1758 bytes --]

New review comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010925719

Comment:
```
❯ ./xbps-src -Q -s -j 16 pkg cargo-auditable          
=> xbps-src: updating repositories for host (x86_64)...
[*] Updating repository `https://repo-default.voidlinux.org/current/x86_64-repodata' ...
[*] Updating repository `https://repo-default.voidlinux.org/current/nonfree/x86_64-repodata' ...
[*] Updating repository `https://repo-default.voidlinux.org/current/debug/x86_64-repodata' ...
[*] Updating repository `https://repo-default.voidlinux.org/current/multilib/x86_64-repodata' ...
[*] Updating repository `https://repo-default.voidlinux.org/current/multilib/nonfree/x86_64-repodata' ...
=> xbps-src: updating software in / masterdir...
=> xbps-src: cleaning up / masterdir...
=> cargo-auditable-0.5.2_1: removing autodeps, please wait...
=> cargo-auditable-0.5.2_1: building [cargo] [rust] for x86_64...
   [host] cargo-auditable-bootstrap-0.5.2_1: found (/host/binpkgs/auditable-rust-binaries)
   [host] cargo-1.63.0_1: found (https://repo-default.voidlinux.org/current)
   [host] cargo-auditable-0.5.2_1: found (/host/binpkgs/auditable-rust-binaries)
=> cargo-auditable-0.5.2_1: installing host dependencies: cargo-auditable-bootstrap-0.5.2_1 cargo-1.63.0_1 cargo-auditable-0.5.2_1 ...
=> cargo-auditable-0.5.2_1: removing autodeps, please wait...
=> ERROR: cargo-auditable-0.5.2_1: failed to install host dependencies! (error 11)
CONFLICT: cargo-auditable-0.5.2_1 with cargo-auditable-bootstrap-0.5.2_1 in transaction (matched by cargo-auditable-bootstrap)
Transaction aborted due to conflicting packages.
=> ERROR: Please see above for the real error, exiting...
```

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 213 bytes --]

New review comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010925952

Comment:
doesn't look like the bashism really does what we want though

Re: [PR PATCH] [Updated] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

There is an updated pull request by jcgruenhage against master on the void-packages repository

https://github.com/jcgruenhage/void-packages auditable-rust-binaries
https://github.com/void-linux/void-packages/pull/40272

RFC: build-style/cargo: produce auditable binaries
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"
```

This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.


A patch file from https://github.com/void-linux/void-packages/pull/40272.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-auditable-rust-binaries-40272.patch --]
[-- Type: text/x-diff, Size: 4161 bytes --]

From c32034ab750ebe36a20a79764e905d249460dcd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:27:17 +0100
Subject: [PATCH 1/3] New package: cargo-auditable-bootstrap-0.5.2

---
 srcpkgs/cargo-auditable-bootstrap/template | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 srcpkgs/cargo-auditable-bootstrap/template

diff --git a/srcpkgs/cargo-auditable-bootstrap/template b/srcpkgs/cargo-auditable-bootstrap/template
new file mode 100644
index 000000000000..21ec5a7f966c
--- /dev/null
+++ b/srcpkgs/cargo-auditable-bootstrap/template
@@ -0,0 +1,20 @@
+# Template file for 'cargo-auditable-bootstrap'
+# Keep synced with cargo-auditable
+pkgname=cargo-auditable-bootstrap
+version=0.5.2
+revision=1
+wrksrc=cargo-auditable-${version}
+build_wrksrc=cargo-auditable
+build_style=cargo
+# Required for bootstrapping purposes
+make_cmd=cargo
+short_desc="Bootstrap package for cargo-auditable"
+maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
+license="MIT,Apache-2.0"
+homepage="https://github.com/rust-secure-code/cargo-auditable"
+distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
+checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+
+post_install() {
+	vlicense ../LICENSE-MIT
+}

From 562ce695cb4e426764d3a2abdca90a54fa3a5c7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:28:16 +0100
Subject: [PATCH 2/3] cargo-auditable: depend on self for native and bootstrap
 for crossbuilds

---
 srcpkgs/cargo-auditable/template | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/srcpkgs/cargo-auditable/template b/srcpkgs/cargo-auditable/template
index 0f95e6dc4d65..86f481e93ccf 100644
--- a/srcpkgs/cargo-auditable/template
+++ b/srcpkgs/cargo-auditable/template
@@ -1,4 +1,5 @@
 # Template file for 'cargo-auditable'
+# Keep synced with cargo-auditable-bootstrap
 pkgname=cargo-auditable
 version=0.5.2
 revision=1
@@ -10,6 +11,13 @@ license="MIT,Apache-2.0"
 homepage="https://github.com/rust-secure-code/cargo-auditable"
 distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
 checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+conflicts=cargo-auditable-bootstrap
+
+if [ "$CROSS_BUILD" ]; then
+	hostmakedepends="cargo-auditable"
+else
+	hostmakedepends="cargo-auditable-bootstrap"
+fi
 
 post_install() {
 	vlicense ../LICENSE-MIT

From cb47dfcefb6124c463279502a1aaf79e0bc2559c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:29:59 +0100
Subject: [PATCH 3/3] build-style/cargo: produce auditable binaries

---
 common/build-style/cargo.sh             | 6 +++---
 common/environment/build-style/cargo.sh | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/common/build-style/cargo.sh b/common/build-style/cargo.sh
index 4c456394df5b..387e711060bc 100644
--- a/common/build-style/cargo.sh
+++ b/common/build-style/cargo.sh
@@ -3,20 +3,20 @@
 #
 
 do_build() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_cmd} build --release --target ${RUST_TARGET} ${configure_args}
 }
 
 do_check() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_check_pre} ${make_cmd} test --release --target ${RUST_TARGET} ${configure_args} \
 		${make_check_args}
 }
 
 do_install() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 	: ${make_install_args:=--path .}
 
 	${make_cmd} install --target ${RUST_TARGET} --root="${DESTDIR}/usr" \
diff --git a/common/environment/build-style/cargo.sh b/common/environment/build-style/cargo.sh
index c7c9863a055f..22fb4b195d57 100644
--- a/common/environment/build-style/cargo.sh
+++ b/common/environment/build-style/cargo.sh
@@ -1,5 +1,9 @@
 hostmakedepends+=" cargo"
 
+if ! [[ "$pkgname" =~ ^cargo-auditable ]]; then
+	hostmakedepends+=" cargo-auditable"
+fi
+
 if [ "$CROSS_BUILD" ]; then
 	makedepends+=" rust-std"
 fi

Re: [PR PATCH] [Updated] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

There is an updated pull request by jcgruenhage against master on the void-packages repository

https://github.com/jcgruenhage/void-packages auditable-rust-binaries
https://github.com/void-linux/void-packages/pull/40272

RFC: build-style/cargo: produce auditable binaries
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"
```

This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.


A patch file from https://github.com/void-linux/void-packages/pull/40272.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-auditable-rust-binaries-40272.patch --]
[-- Type: text/x-diff, Size: 4236 bytes --]

From c32034ab750ebe36a20a79764e905d249460dcd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:27:17 +0100
Subject: [PATCH 1/3] New package: cargo-auditable-bootstrap-0.5.2

---
 srcpkgs/cargo-auditable-bootstrap/template | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 srcpkgs/cargo-auditable-bootstrap/template

diff --git a/srcpkgs/cargo-auditable-bootstrap/template b/srcpkgs/cargo-auditable-bootstrap/template
new file mode 100644
index 000000000000..21ec5a7f966c
--- /dev/null
+++ b/srcpkgs/cargo-auditable-bootstrap/template
@@ -0,0 +1,20 @@
+# Template file for 'cargo-auditable-bootstrap'
+# Keep synced with cargo-auditable
+pkgname=cargo-auditable-bootstrap
+version=0.5.2
+revision=1
+wrksrc=cargo-auditable-${version}
+build_wrksrc=cargo-auditable
+build_style=cargo
+# Required for bootstrapping purposes
+make_cmd=cargo
+short_desc="Bootstrap package for cargo-auditable"
+maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
+license="MIT,Apache-2.0"
+homepage="https://github.com/rust-secure-code/cargo-auditable"
+distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
+checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+
+post_install() {
+	vlicense ../LICENSE-MIT
+}

From e161a17ca5407619a50b4c278589567807db1e06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:28:16 +0100
Subject: [PATCH 2/3] cargo-auditable: depend and conflict on bootstrap package

---
 srcpkgs/cargo-auditable/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/cargo-auditable/template b/srcpkgs/cargo-auditable/template
index 0f95e6dc4d65..fb8fdfab398b 100644
--- a/srcpkgs/cargo-auditable/template
+++ b/srcpkgs/cargo-auditable/template
@@ -1,15 +1,18 @@
 # Template file for 'cargo-auditable'
+# Keep synced with cargo-auditable-bootstrap
 pkgname=cargo-auditable
 version=0.5.2
 revision=1
 build_wrksrc=cargo-auditable
 build_style=cargo
+hostmakedepends="cargo-auditable-bootstrap"
 short_desc="Tool for embedding dependency information in rust binaries"
 maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
 license="MIT,Apache-2.0"
 homepage="https://github.com/rust-secure-code/cargo-auditable"
 distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
 checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+conflicts=cargo-auditable-bootstrap
 
 post_install() {
 	vlicense ../LICENSE-MIT

From f4ae30d308d63cfadc609200f2384e5192721310 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:29:59 +0100
Subject: [PATCH 3/3] build-style/cargo: produce auditable binaries

---
 common/build-style/cargo.sh             | 6 +++---
 common/environment/build-style/cargo.sh | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/common/build-style/cargo.sh b/common/build-style/cargo.sh
index 4c456394df5b..387e711060bc 100644
--- a/common/build-style/cargo.sh
+++ b/common/build-style/cargo.sh
@@ -3,20 +3,20 @@
 #
 
 do_build() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_cmd} build --release --target ${RUST_TARGET} ${configure_args}
 }
 
 do_check() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_check_pre} ${make_cmd} test --release --target ${RUST_TARGET} ${configure_args} \
 		${make_check_args}
 }
 
 do_install() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 	: ${make_install_args:=--path .}
 
 	${make_cmd} install --target ${RUST_TARGET} --root="${DESTDIR}/usr" \
diff --git a/common/environment/build-style/cargo.sh b/common/environment/build-style/cargo.sh
index c7c9863a055f..22fb4b195d57 100644
--- a/common/environment/build-style/cargo.sh
+++ b/common/environment/build-style/cargo.sh
@@ -1,5 +1,9 @@
 hostmakedepends+=" cargo"
 
+if ! [[ "$pkgname" =~ ^cargo-auditable ]]; then
+	hostmakedepends+=" cargo-auditable"
+fi
+
 if [ "$CROSS_BUILD" ]; then
 	makedepends+=" rust-std"
 fi

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 193 bytes --]

New review comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010939122

Comment:
without the slashes it works as expected.

Re: RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 423 bytes --]

New comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#issuecomment-1299288562

Comment:
To make sure this isn't lost to the IRC backlock: I've rebuilt all 173 packages that use the cargo build style, and except for `racer` and `signal-backup-decode`, for which compilation failed, and `eva` which has a checksum issue (see #40280), they were all built successfully.

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 194 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010964321

Comment:
let's revbump this, so it's auditable too

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 162 bytes --]

New review comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010966382

Comment:
good catch

Re: [PR PATCH] [Updated] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

There is an updated pull request by jcgruenhage against master on the void-packages repository

https://github.com/jcgruenhage/void-packages auditable-rust-binaries
https://github.com/void-linux/void-packages/pull/40272

RFC: build-style/cargo: produce auditable binaries
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"
```

This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.


A patch file from https://github.com/void-linux/void-packages/pull/40272.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-auditable-rust-binaries-40272.patch --]
[-- Type: text/x-diff, Size: 4265 bytes --]

From c32034ab750ebe36a20a79764e905d249460dcd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:27:17 +0100
Subject: [PATCH 1/3] New package: cargo-auditable-bootstrap-0.5.2

---
 srcpkgs/cargo-auditable-bootstrap/template | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 srcpkgs/cargo-auditable-bootstrap/template

diff --git a/srcpkgs/cargo-auditable-bootstrap/template b/srcpkgs/cargo-auditable-bootstrap/template
new file mode 100644
index 000000000000..21ec5a7f966c
--- /dev/null
+++ b/srcpkgs/cargo-auditable-bootstrap/template
@@ -0,0 +1,20 @@
+# Template file for 'cargo-auditable-bootstrap'
+# Keep synced with cargo-auditable
+pkgname=cargo-auditable-bootstrap
+version=0.5.2
+revision=1
+wrksrc=cargo-auditable-${version}
+build_wrksrc=cargo-auditable
+build_style=cargo
+# Required for bootstrapping purposes
+make_cmd=cargo
+short_desc="Bootstrap package for cargo-auditable"
+maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
+license="MIT,Apache-2.0"
+homepage="https://github.com/rust-secure-code/cargo-auditable"
+distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
+checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+
+post_install() {
+	vlicense ../LICENSE-MIT
+}

From 59272778ca7de242eb5a74e2af6e2d582c882bcc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:28:16 +0100
Subject: [PATCH 2/3] cargo-auditable: depend and conflict on bootstrap package

---
 srcpkgs/cargo-auditable/template | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/cargo-auditable/template b/srcpkgs/cargo-auditable/template
index 0f95e6dc4d65..642e02a534cd 100644
--- a/srcpkgs/cargo-auditable/template
+++ b/srcpkgs/cargo-auditable/template
@@ -1,15 +1,18 @@
 # Template file for 'cargo-auditable'
+# Keep synced with cargo-auditable-bootstrap
 pkgname=cargo-auditable
 version=0.5.2
-revision=1
+revision=2
 build_wrksrc=cargo-auditable
 build_style=cargo
+hostmakedepends="cargo-auditable-bootstrap"
 short_desc="Tool for embedding dependency information in rust binaries"
 maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
 license="MIT,Apache-2.0"
 homepage="https://github.com/rust-secure-code/cargo-auditable"
 distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
 checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+conflicts=cargo-auditable-bootstrap
 
 post_install() {
 	vlicense ../LICENSE-MIT

From f51f89d35cefd61afb3b734700d0e3eb6cbe5940 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:29:59 +0100
Subject: [PATCH 3/3] build-style/cargo: produce auditable binaries

---
 common/build-style/cargo.sh             | 6 +++---
 common/environment/build-style/cargo.sh | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/common/build-style/cargo.sh b/common/build-style/cargo.sh
index 4c456394df5b..387e711060bc 100644
--- a/common/build-style/cargo.sh
+++ b/common/build-style/cargo.sh
@@ -3,20 +3,20 @@
 #
 
 do_build() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_cmd} build --release --target ${RUST_TARGET} ${configure_args}
 }
 
 do_check() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_check_pre} ${make_cmd} test --release --target ${RUST_TARGET} ${configure_args} \
 		${make_check_args}
 }
 
 do_install() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 	: ${make_install_args:=--path .}
 
 	${make_cmd} install --target ${RUST_TARGET} --root="${DESTDIR}/usr" \
diff --git a/common/environment/build-style/cargo.sh b/common/environment/build-style/cargo.sh
index c7c9863a055f..22fb4b195d57 100644
--- a/common/environment/build-style/cargo.sh
+++ b/common/environment/build-style/cargo.sh
@@ -1,5 +1,9 @@
 hostmakedepends+=" cargo"
 
+if ! [[ "$pkgname" =~ ^cargo-auditable ]]; then
+	hostmakedepends+=" cargo-auditable"
+fi
+
 if [ "$CROSS_BUILD" ]; then
 	makedepends+=" rust-std"
 fi

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[paper42]

[-- Attachment #1: Type: text/plain, Size: 425 bytes --]

New review comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010970546

Comment:
Hmm, I don't like this `~=`. It's very unlikely there will be a package called cargo-auditable-something that would be wrongly caught by this, but it still feels like the wrong approach. Is there a reason why you prefer `~=` instead of just listing both packages @classabbyamp?

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 183 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010972669

Comment:
idk I thought it looked better

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[paper42]

[-- Attachment #1: Type: text/plain, Size: 237 bytes --]

New review comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010982735

Comment:
I think that if there are 2 names we want to match, we should match just those, not more.

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 242 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1010988559

Comment:
I guess if we wanted to keep the regex, `^cargo-auditable(-bootstrap)?$` is the way to go

Re: [PR PATCH] [Updated] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

There is an updated pull request by jcgruenhage against master on the void-packages repository

https://github.com/jcgruenhage/void-packages auditable-rust-binaries
https://github.com/void-linux/void-packages/pull/40272

RFC: build-style/cargo: produce auditable binaries
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"
```

This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.


A patch file from https://github.com/void-linux/void-packages/pull/40272.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-auditable-rust-binaries-40272.patch --]
[-- Type: text/x-diff, Size: 4279 bytes --]

From c32034ab750ebe36a20a79764e905d249460dcd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:27:17 +0100
Subject: [PATCH 1/3] New package: cargo-auditable-bootstrap-0.5.2

---
 srcpkgs/cargo-auditable-bootstrap/template | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 srcpkgs/cargo-auditable-bootstrap/template

diff --git a/srcpkgs/cargo-auditable-bootstrap/template b/srcpkgs/cargo-auditable-bootstrap/template
new file mode 100644
index 000000000000..21ec5a7f966c
--- /dev/null
+++ b/srcpkgs/cargo-auditable-bootstrap/template
@@ -0,0 +1,20 @@
+# Template file for 'cargo-auditable-bootstrap'
+# Keep synced with cargo-auditable
+pkgname=cargo-auditable-bootstrap
+version=0.5.2
+revision=1
+wrksrc=cargo-auditable-${version}
+build_wrksrc=cargo-auditable
+build_style=cargo
+# Required for bootstrapping purposes
+make_cmd=cargo
+short_desc="Bootstrap package for cargo-auditable"
+maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
+license="MIT,Apache-2.0"
+homepage="https://github.com/rust-secure-code/cargo-auditable"
+distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
+checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+
+post_install() {
+	vlicense ../LICENSE-MIT
+}

From 59272778ca7de242eb5a74e2af6e2d582c882bcc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:28:16 +0100
Subject: [PATCH 2/3] cargo-auditable: depend and conflict on bootstrap package

---
 srcpkgs/cargo-auditable/template | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/cargo-auditable/template b/srcpkgs/cargo-auditable/template
index 0f95e6dc4d65..642e02a534cd 100644
--- a/srcpkgs/cargo-auditable/template
+++ b/srcpkgs/cargo-auditable/template
@@ -1,15 +1,18 @@
 # Template file for 'cargo-auditable'
+# Keep synced with cargo-auditable-bootstrap
 pkgname=cargo-auditable
 version=0.5.2
-revision=1
+revision=2
 build_wrksrc=cargo-auditable
 build_style=cargo
+hostmakedepends="cargo-auditable-bootstrap"
 short_desc="Tool for embedding dependency information in rust binaries"
 maintainer="Jan Christian Grünhage <jan.christian@gruenhage.xyz>"
 license="MIT,Apache-2.0"
 homepage="https://github.com/rust-secure-code/cargo-auditable"
 distfiles="https://github.com/rust-secure-code/cargo-auditable/archive/refs/tags/v${version}.tar.gz"
 checksum=fee70e8d2354e47eba1fed767430c12423c2a93c37307ae4c7d977c7693b88dd
+conflicts=cargo-auditable-bootstrap
 
 post_install() {
 	vlicense ../LICENSE-MIT

From 454b3b9338283ed56c413dde0a86ff2a2512acb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Tue, 1 Nov 2022 22:29:59 +0100
Subject: [PATCH 3/3] build-style/cargo: produce auditable binaries

---
 common/build-style/cargo.sh             | 6 +++---
 common/environment/build-style/cargo.sh | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/common/build-style/cargo.sh b/common/build-style/cargo.sh
index 4c456394df5b..387e711060bc 100644
--- a/common/build-style/cargo.sh
+++ b/common/build-style/cargo.sh
@@ -3,20 +3,20 @@
 #
 
 do_build() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_cmd} build --release --target ${RUST_TARGET} ${configure_args}
 }
 
 do_check() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 
 	${make_check_pre} ${make_cmd} test --release --target ${RUST_TARGET} ${configure_args} \
 		${make_check_args}
 }
 
 do_install() {
-	: ${make_cmd:=cargo}
+	: ${make_cmd:=cargo auditable}
 	: ${make_install_args:=--path .}
 
 	${make_cmd} install --target ${RUST_TARGET} --root="${DESTDIR}/usr" \
diff --git a/common/environment/build-style/cargo.sh b/common/environment/build-style/cargo.sh
index c7c9863a055f..473750c7a359 100644
--- a/common/environment/build-style/cargo.sh
+++ b/common/environment/build-style/cargo.sh
@@ -1,5 +1,9 @@
 hostmakedepends+=" cargo"
 
+if ! [[ "$pkgname" =~ ^cargo-auditable(-bootstrap)?$ ]]; then
+	hostmakedepends+=" cargo-auditable"
+fi
+
 if [ "$CROSS_BUILD" ]; then
 	makedepends+=" rust-std"
 fi

Re: [PR REVIEW] RFC: build-style/cargo: produce auditable binaries

[jcgruenhage]

[-- Attachment #1: Type: text/plain, Size: 183 bytes --]

New review comment by jcgruenhage on void-packages repository

https://github.com/void-linux/void-packages/pull/40272#discussion_r1011219155

Comment:
Adjusted the regex accordingly.

Re: [PR PATCH] [Merged]: RFC: build-style/cargo: produce auditable binaries

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 1448 bytes --]

There's a merged pull request on the void-packages repository

RFC: build-style/cargo: produce auditable binaries
https://github.com/void-linux/void-packages/pull/40272

Description:
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

In contrast to other distros like f.ex. Fedora, we don't ship each crate in the
dependency tree of a rust project as its own (source) package, which means that
xbps isn't aware of those dependencies. Recovering what versions of specific
libraries are used on a system is made very hard by this, which leaves people
clueless what to do in a situation when a library has a CVE for example.

This change embeds a table of dependencies that went into this binary into the
binary itself, which means recovering what binaries contain which libraries
becomes fairly trivial. Go does this by default, and the long-term goal is to
do the same with Rust, but we aren't there yet.

An example for how usage could look like:

```text
❯ syft packages --catalogers all --output syft-json /usr/bin | jq '.artifacts[] | select(.metadata.name=="tokio") | .locations[].path'
 ✔ Indexed /usr/bin        
 ✔ Cataloged packages      [1905 packages]

"sq"
```

This shows me that the only auditable rust binary depending on tokio on my
system right now is `sq`, and with different jq filters I can get out any info
I might need.