aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDanilo M. <danix@danix.xyz>2026-06-26 10:48:26 +0200
committerDanilo M. <danix@danix.xyz>2026-06-26 10:48:26 +0200
commitcea7553eff80f20f16bdab32ccd974d21b76aca8 (patch)
tree86ac47199579755e6e2f13dfd6cc1a3719c3c0ef
parent56788f66c7ea10b5aac5005e6f2110508fd46167 (diff)
downloadslackware-pentesting-suite-cea7553eff80f20f16bdab32ccd974d21b76aca8.tar.gz
slackware-pentesting-suite-cea7553eff80f20f16bdab32ccd974d21b76aca8.zip
docs: explain vendored crates rationale and regeneration
Add a Vendored Crates section to the root README covering why Rust packages ship a vendored tarball (SBo builds run offline in a clean chroot) and how to regenerate it reproducibly with cargo-vendor-filterer and SOURCE_DATE_EPOCH. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
-rw-r--r--README.md34
1 files changed, 34 insertions, 0 deletions
diff --git a/README.md b/README.md
index 27a658d..95b550b 100644
--- a/README.md
+++ b/README.md
@@ -61,3 +61,37 @@ cp .extras/hooks/* .git/hooks/ && chmod 0755 .git/hooks/{pre,post}-commit
(`SBo/<package>.tar.gz`) for any added or updated package. To answer the
prompt non-interactively, set `SBO_ARCHIVE=yes` or `SBO_ARCHIVE=no` in the
environment.
+
+## Vendored Crates (Rust packages)
+
+Rust packages such as `feroxbuster` build from a vendored crates tarball
+(`<pkg>-<version>-vendor.tar.gz`) declared as a second source in the `.info`
+file, alongside the upstream tarball. The SlackBuild unpacks it, points cargo
+at it via `.cargo/config.toml`, and builds fully offline (`cargo build
+--offline --locked`).
+
+This mirrors how SlackBuilds.org packages Rust (and Go) software. SBo builds
+must be reproducible from the checksummed sources declared in `.info` and run
+in a clean chroot with no network access. Letting cargo fetch from crates.io
+at build time would break that: builds would depend on crates.io being
+reachable and unchanged, and the SBo build farm (which runs offline) would
+reject the package.
+
+The vendor tarball is generated once per version with `cargo-vendor-filterer`
+and hosted by the maintainer. `SOURCE_DATE_EPOCH` is pinned to the upstream
+release tag's commit date so the archive is byte-for-byte reproducible:
+
+```bash
+tar xf feroxbuster-<version>.tar.gz && cd feroxbuster-<version>
+export SOURCE_DATE_EPOCH="$(date -u -d '<release-tag commit date>' +%s)"
+cargo vendor-filterer \
+ --platform=x86_64-unknown-linux-gnu \
+ --prefix=vendor \
+ --format=tar.gz \
+ feroxbuster-<version>-vendor.tar.gz
+```
+
+The tag commit date comes from the GitHub API
+(`commits/<tag>` → `.commit.committer.date`). Then update `MD5SUM_x86_64` for
+the new tarball in the `.info` file. The exact command is also recorded in the
+package's own `README`.