diff options
| author | Danilo M. <danix@danix.xyz> | 2026-06-26 10:48:26 +0200 |
|---|---|---|
| committer | Danilo M. <danix@danix.xyz> | 2026-06-26 10:48:26 +0200 |
| commit | cea7553eff80f20f16bdab32ccd974d21b76aca8 (patch) | |
| tree | 86ac47199579755e6e2f13dfd6cc1a3719c3c0ef | |
| parent | 56788f66c7ea10b5aac5005e6f2110508fd46167 (diff) | |
| download | slackware-pentesting-suite-cea7553eff80f20f16bdab32ccd974d21b76aca8.tar.gz slackware-pentesting-suite-cea7553eff80f20f16bdab32ccd974d21b76aca8.zip | |
docs: explain vendored crates rationale and regeneration
Add a Vendored Crates section to the root README covering why Rust packages
ship a vendored tarball (SBo builds run offline in a clean chroot) and how to
regenerate it reproducibly with cargo-vendor-filterer and SOURCE_DATE_EPOCH.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
| -rw-r--r-- | README.md | 34 |
1 files changed, 34 insertions, 0 deletions
@@ -61,3 +61,37 @@ cp .extras/hooks/* .git/hooks/ && chmod 0755 .git/hooks/{pre,post}-commit (`SBo/<package>.tar.gz`) for any added or updated package. To answer the prompt non-interactively, set `SBO_ARCHIVE=yes` or `SBO_ARCHIVE=no` in the environment. + +## Vendored Crates (Rust packages) + +Rust packages such as `feroxbuster` build from a vendored crates tarball +(`<pkg>-<version>-vendor.tar.gz`) declared as a second source in the `.info` +file, alongside the upstream tarball. The SlackBuild unpacks it, points cargo +at it via `.cargo/config.toml`, and builds fully offline (`cargo build +--offline --locked`). + +This mirrors how SlackBuilds.org packages Rust (and Go) software. SBo builds +must be reproducible from the checksummed sources declared in `.info` and run +in a clean chroot with no network access. Letting cargo fetch from crates.io +at build time would break that: builds would depend on crates.io being +reachable and unchanged, and the SBo build farm (which runs offline) would +reject the package. + +The vendor tarball is generated once per version with `cargo-vendor-filterer` +and hosted by the maintainer. `SOURCE_DATE_EPOCH` is pinned to the upstream +release tag's commit date so the archive is byte-for-byte reproducible: + +```bash +tar xf feroxbuster-<version>.tar.gz && cd feroxbuster-<version> +export SOURCE_DATE_EPOCH="$(date -u -d '<release-tag commit date>' +%s)" +cargo vendor-filterer \ + --platform=x86_64-unknown-linux-gnu \ + --prefix=vendor \ + --format=tar.gz \ + feroxbuster-<version>-vendor.tar.gz +``` + +The tag commit date comes from the GitHub API +(`commits/<tag>` → `.commit.committer.date`). Then update `MD5SUM_x86_64` for +the new tarball in the `.info` file. The exact command is also recorded in the +package's own `README`. |
