diff options
| -rw-r--r-- | README.md | 34 |
1 files changed, 34 insertions, 0 deletions
@@ -61,3 +61,37 @@ cp .extras/hooks/* .git/hooks/ && chmod 0755 .git/hooks/{pre,post}-commit (`SBo/<package>.tar.gz`) for any added or updated package. To answer the prompt non-interactively, set `SBO_ARCHIVE=yes` or `SBO_ARCHIVE=no` in the environment. + +## Vendored Crates (Rust packages) + +Rust packages such as `feroxbuster` build from a vendored crates tarball +(`<pkg>-<version>-vendor.tar.gz`) declared as a second source in the `.info` +file, alongside the upstream tarball. The SlackBuild unpacks it, points cargo +at it via `.cargo/config.toml`, and builds fully offline (`cargo build +--offline --locked`). + +This mirrors how SlackBuilds.org packages Rust (and Go) software. SBo builds +must be reproducible from the checksummed sources declared in `.info` and run +in a clean chroot with no network access. Letting cargo fetch from crates.io +at build time would break that: builds would depend on crates.io being +reachable and unchanged, and the SBo build farm (which runs offline) would +reject the package. + +The vendor tarball is generated once per version with `cargo-vendor-filterer` +and hosted by the maintainer. `SOURCE_DATE_EPOCH` is pinned to the upstream +release tag's commit date so the archive is byte-for-byte reproducible: + +```bash +tar xf feroxbuster-<version>.tar.gz && cd feroxbuster-<version> +export SOURCE_DATE_EPOCH="$(date -u -d '<release-tag commit date>' +%s)" +cargo vendor-filterer \ + --platform=x86_64-unknown-linux-gnu \ + --prefix=vendor \ + --format=tar.gz \ + feroxbuster-<version>-vendor.tar.gz +``` + +The tag commit date comes from the GitHub API +(`commits/<tag>` → `.commit.committer.date`). Then update `MD5SUM_x86_64` for +the new tarball in the `.info` file. The exact command is also recorded in the +package's own `README`. |
