[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cargo-auditable and Debian

Hi Shnatsel!

Thanks for your email.

On 23/08/25 15:08, Sergey Davidoff wrote:
Alexander Kjall has experimented with using it to complement or replace dh-cargo-built-using, but it wasn't up to scratch back then. I just wanted to let you know that I've cleared the technical blockers: https://github.com/rust-secure-code/cargo-auditable/issues/128 <https:// github.com/rust-secure-code/cargo-auditable/issues/128>
I think Alexander is in a better position to answer this so I added him in c.c., but since you mentioned it, how is cargo-auditable supposed to replace dh-cargo-built-using, since metadata in Debian is tracked via archive metadata (e.g. Sources/Packages/UDD entries) and not metadata stored in the linker section of the executable? Wouldn't this be a regression in comparison to the current status-quo, since it would require the package to actually be installed (or at least downloaded and unpacked) on the system?
As for complementing dh-cargo-built-using, this seems a nice added touch which we maybe don't exactly need (again, we already track metadata in a more efficient way for the purposes of Debian -- just run `apt info` on any rust package, installed or not), but which I would fully support if the ecosystem converges towards using cargo-auditable. 


Cheers!
Reply to: