[Bug 2145317] Re: FFe: Enable cargo-auditable support for several important Rust packages

Paride Legovini 2145317 at bugs.launchpad.net
Thu Mar 26 17:39:08 UTC 2026 

Looking at the FFe, I think this is fine: changes affect the build
system in a way that should not change actual behavior of the software.
FFe approved.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-sudo-rs in Ubuntu.
https://bugs.launchpad.net/bugs/2145317

Title:
  FFe: Enable cargo-auditable support for several important Rust
  packages

Status in Ubuntu:
  New
Status in rust-alacritty package in Ubuntu:
  Fix Released
Status in rust-bat package in Ubuntu:
  New
Status in rust-du-dust package in Ubuntu:
  New
Status in rust-eza package in Ubuntu:
  New
Status in rust-fd-find package in Ubuntu:
  New
Status in rust-hyperfine package in Ubuntu:
  New
Status in rust-ripgrep package in Ubuntu:
  New
Status in rust-sd package in Ubuntu:
  New
Status in rust-sudo-rs package in Ubuntu:
  Fix Committed
Status in The Resolute Raccoon:
  New
Status in rust-alacritty source package in Resolute:
  Fix Released
Status in rust-bat source package in Resolute:
  New
Status in rust-du-dust source package in Resolute:
  New
Status in rust-eza source package in Resolute:
  New
Status in rust-fd-find source package in Resolute:
  New
Status in rust-hyperfine source package in Resolute:
  New
Status in rust-ripgrep source package in Resolute:
  New
Status in rust-sd source package in Resolute:
  New
Status in rust-sudo-rs source package in Resolute:
  Fix Committed

Bug description:
  Hello,

  For the past cycle I have been working on patching in cargo-auditable
  support to dh-cargo. Cargo-auditable is a tool that embeds dependency
  metadata into Rust binaries.[1] This is invaluable in the aftermath of
  a CVE, as it lets you know at-a-glance if a binary may have been
  compromised. It's also great for curious users!

  For 26.04, cargo-auditable will be *opt-in.* Developers of Rust
  packages that build using dh-cargo can export
  `UBUNTU_ENABLE_CARGO_AUDITABLE=1` near the top of their d/rules, and
  including `Build-Depends: cargo-auditable` in d/control.

  [1]: https://github.com/rust-secure-code/cargo-auditable

  ## FFe ##

  This bug tracks the FFe to enable cargo-auditable for the following popular Rust packages:
  - rust-alacritty
  - rust-bat
  - rust-du-dust
  - rust-eza
  - rust-fd-find
  - rust-hyperfine
  - rust-ripgrep
  - rust-sd
  - rust-sudo-rs

  This FFe is necessary because getting cargo-auditable support in is a
  26.04 roadmap item, and we want developers to have easy access to
  tools to make their packages more secure.

  You can see the packages building here:
  https://launchpad.net/~petrakat/+archive/ubuntu/cargo-auditable-prod-
  test

  There is no upstream changelog, as this is an Ubuntu-only change.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2145317/+subscriptions

More information about the foundations-bugs mailing list