Re: cargo-auditable and Debian
Hi Shnatsel!
Thanks for your email.
On 23/08/25 15:08, Sergey Davidoff wrote:
Alexander Kjall has experimented with using it to complement or replace
dh-cargo-built-using, but it wasn't up to scratch back then. I just
wanted to let you know that I've cleared the technical blockers:
https://github.com/rust-secure-code/cargo-auditable/issues/128 <https://
github.com/rust-secure-code/cargo-auditable/issues/128>
I think Alexander is in a better position to answer this so I added him
in c.c., but since you mentioned it, how is cargo-auditable supposed to
replace dh-cargo-built-using, since metadata in Debian is tracked via
archive metadata (e.g. Sources/Packages/UDD entries) and not metadata
stored in the linker section of the executable? Wouldn't this be a
regression in comparison to the current status-quo, since it would
require the package to actually be installed (or at least downloaded and
unpacked) on the system?
As for complementing dh-cargo-built-using, this seems a nice added touch
which we maybe don't exactly need (again, we already track metadata in a
more efficient way for the purposes of Debian -- just run `apt info` on
any rust package, installed or not), but which I would fully support if
the ecosystem converges towards using cargo-auditable.
Cheers!
Reply to: