Support for building auditable rust binaries with cargo-auditable

[figsoda]

cargo-auditable is a tool to store the exact versions of dependencies in rust binaries and makes it easier/possible to audit the dependency tree of rust binaries. It was added to nixpkgs in #191821, and there is currently an open RFC to implement this within cargo: (rust-lang/rfcs#2801)

Void linux recently integrated this with its build system: void-linux/void-packages#40272, and thank you @jcgruenhage for the suggestion

• auditable option in buildRustPackage
  • Initial implementation rustPlatform.buildRustPackage: build auditable binaries #204686
  • Make it the default rustPlatform.buildRustPackage: make auditable the default #223320
• auditable option in buildRustCrate (Is this possible?)

[figsoda]

I tried to implement this, but even with dontStrip = false and dontFixup = false, I still wasn't able to get rust-audit-info to find any data

[jcgruenhage]

@figsoda do you have your changes pushed somewhere? I can take a look and try to find out why it's not working, or maybe @Shnatsel has an idea?

[figsoda]

I cleaned up the code a bit and pushed the changes to https://github.com/figsoda/nixpkgs/tree/auditable

maybe you want to cherry-pick it to master if you want to test it out so you can use the cache

[Shnatsel]

Hey! cargo auditable developer here. I have no experience with Nix, so I would need someone to walk me through the reproduction steps.

If the build doesn't fail but also doesn't inject any audit info, the only reason for that I can think of is the environment variables set by cargo-auditable binary are being cleared.

cargo-auditable sets the RUSTC_WORKSPACE_WRAPPER environment variable so that it gets called in place of rustc for packages coming from the current workspace. If this environment variable is not propagated to Cargo, then the callbacks for injecting the audit data are never invoked.

On strace the callbacks to inject audit data should show up as cargo-auditable rustc followed by a long list of rustc arguments. If there are no such calls, then the RUSTC_WORKSPACE_WRAPPER env var almost certainly has been unset.

[Shnatsel]

An even easier way to check if cleared env vars are to blame: you can set the rustc-workspace-wrapper parameter in the Cargo config file.

If the build starts crashing because it can't find additional environment variables, then the environment variables were indeed cleared. If it starts working and the audit data gets embedded, then apparently only RUSTC_WORKSPACE_WRAPPER was unset.

[figsoda]

Turns out I had a typo here 🤦
will open a pr once I'm done

[bbigras]

can this be closed?

[figsoda]

It is not implemented for buildRustCrate, but it might not be possible, so I think we can close this now