cargo-c icon indicating copy to clipboard operation
cargo-c copied to clipboard
verified publisher icon lu-zero

cargo-c in debug mode binaries contain embedded build paths, making builds non-reproducible

Open Yashinde145 opened this issue 2 months ago • 3 comments

While building cargo-c in debug mode, the resulting binaries (cargo-capi, cargo-cbuild, cargo-cinstall, and cargo-ctest) contain absolute build paths embedded in them. This causes builds from different directories to produce non-identical binaries, breaking reproducibility.

Steps:

  1. Build with default settings (debug mode):
$ cargo build
$ cd target/debug
  1. Extract embedded paths from cargo-capi:
$ strings cargo-capi | rg "$PWD" | head -n 5
/home/user/cargo-c/target/debug/build/libgit2-sys-417a07c8a7c841b0/out/include/git2/sys
/home/user/cargo-c/target/debug/build/libgit2-sys-417a07c8a7c841b0/out/include/git2
/home/user/cargo-c/target/debug/build/libgit2-sys-417a07c8a7c841b0/out/include/git2/sys
/home/user/cargo-c/target/debug/build/libgit2-sys-417a07c8a7c841b0/out/include/git2
/home/user/cargo-c/target/debug/build/libgit2-sys-417a07c8a7c841b0/out/include/git2/sys

$ strings cargo-capi | rg "$PWD" | tail -n 5
/home/user/cargo-c/target/debug/build/libssh2-sys-765f67dda6fad88f/out/include
/home/user/cargo-c/target/debug/build/libssh2-sys-765f67dda6fad88f/out/include
/home/user/cargo-c/target/debug/build/libssh2-sys-765f67dda6fad88f/out/include
/home/user/cargo-c/target/debug/build/libssh2-sys-765f67dda6fad88f/out/include
/home/user/cargo-c/target/debug/build/libssh2-sys-765f67dda6fad88f/out/include

$ strings cargo-capi | rg "$PWD" | wc -l
301

Similar results were found with cargo-cinstall, cargo-cbuild and cargo-ctest binaries as well.

Can --remap-path-prefix be used to replace the build paths to something generic here?

Tried building with --remap-path-prefix to remove absolute paths but it didn't work: RUSTFLAGS="--remap-path-prefix=$(pwd)=/src/" cargo build

  • Could cargo-c use of --remap-path-prefix internally to produce cleaner debug builds?
  • Is there a known limitation in the dependencies like libgit2-sys or libssh2-sys that prevents remapping from working?
  • Is there a recommended way to ensure reproducible builds with cargo-c, especially for distributions?

This appears to be a reproducibility issue caused by absolute paths from build dependencies leaking into binaries. It would be helpful to confirm whether this is expected, how to fix it, or whether upstream changes are required (in cargo-c or its dependencies).

Yashinde145 avatar Oct 06 '25 10:10 Yashinde145

Isn't this a problem you have with cargo as well?

Please try this and report back, but I'm afraid it should be addressed at cargo level instead.

[package.metadata.capi.library]
rustflags = "{put here the flags}"

UPDATE: Wait, the problem is in the actual cargo-c binaries? Then it is definitely a cargo issue and there is nothing we can and should do here.

lu-zero avatar Oct 06 '25 11:10 lu-zero

Isn't this a problem you have with cargo as well?

Please try this and report back, but I'm afraid it should be addressed at cargo level instead.

I tried and issue still exists.

I would like to know why this is a cargo issue? Could this be fixed with cargo-c itself or should I report it to cargo?

Yashinde145 avatar Oct 06 '25 11:10 Yashinde145

It is a cargo issue, I thought you had problems with building something using cargo-c, today had been quite Monday.

You can see if building cargo with cargo shows the same problem on your system :) (literally cargo install cargo --root=/tmp/test)

lu-zero avatar Oct 06 '25 16:10 lu-zero