Re: cargo-auditable and Debian

To: NoisyCoil <noisycoil@disroot.org>
Cc: Sergey Davidoff <shnatsel@gmail.com>, debian-rust@lists.debian.org, capitol@debian.org
Subject: Re: cargo-auditable and Debian
From: Alexander Kjäll <alexander.kjall@gmail.com>
Date: Sun, 24 Aug 2025 10:21:53 +0200
Message-id: <[🔎] CAOuTi9VSawyLMTtc5NhyYgH7=+e=Du4f31Ua7a_0iYc8wcvUmQ@mail.gmail.com>
In-reply-to: <[🔎] 39f02489-48b5-486f-9dc5-a6eb4ddbafec@disroot.org>
References: <[🔎] CABaUXi4CsOnB1_HyAMD2qY20mxF3GL6g5YqU5wVDGOHus2+z5g@mail.gmail.com> <[🔎] 39f02489-48b5-486f-9dc5-a6eb4ddbafec@disroot.org>

Hi

Sorry that I haven't answered before, I have to blame a general lack
of time in my life, I no longer work as a security engineer full time
and don't have dedicated work hours for these kind of research
subjects.

I think that this would be a great addition to help our users with
their security posture. It's very common that different security tools
doesn't understand how to explore the different Debian metadata and
tools and the data in our security tracker (
https://security-tracker.debian.org/tracker/ ) is also often misused.
I have tried to explain the difference between source packages and
binary packages and that the tracker works on source packages to the
company that we buy security tooling from at work and that failed.

Having the possibility to associate a dependency tree directly with a
binary, without the addition of extra metadata files that might get
out of sync will increase the reliability of the different scanners
that our users use.

best regards
Alex

Den lör 23 aug. 2025 kl 16:39 skrev NoisyCoil <noisycoil@disroot.org>:
>
> Hi Shnatsel!
>
> Thanks for your email.
>
> On 23/08/25 15:08, Sergey Davidoff wrote:
> > Alexander Kjall has experimented with using it to complement or replace
> > dh-cargo-built-using, but it wasn't up to scratch back then. I just
> > wanted to let you know that I've cleared the technical blockers:
> > https://github.com/rust-secure-code/cargo-auditable/issues/128 <https://
> > github.com/rust-secure-code/cargo-auditable/issues/128>
> I think Alexander is in a better position to answer this so I added him
> in c.c., but since you mentioned it, how is cargo-auditable supposed to
> replace dh-cargo-built-using, since metadata in Debian is tracked via
> archive metadata (e.g. Sources/Packages/UDD entries) and not metadata
> stored in the linker section of the executable? Wouldn't this be a
> regression in comparison to the current status-quo, since it would
> require the package to actually be installed (or at least downloaded and
> unpacked) on the system?
>
> As for complementing dh-cargo-built-using, this seems a nice added touch
> which we maybe don't exactly need (again, we already track metadata in a
> more efficient way for the purposes of Debian -- just run `apt info` on
> any rust package, installed or not), but which I would fully support if
> the ecosystem converges towards using cargo-auditable.
>
>
> Cheers!
>

Reply to:

References:
- cargo-auditable and Debian
  - From: Sergey Davidoff <shnatsel@gmail.com>
- Re: cargo-auditable and Debian
  - From: NoisyCoil <noisycoil@disroot.org>

Prev by Date: Re: cargo-auditable and Debian
Next by Date: Re: cargo-auditable and Debian
Previous by thread: Re: cargo-auditable and Debian
Next by thread: Re: cargo-auditable and Debian
Index(es):
- Date
- Thread