In early 2017, a Rust developer filed an issue on the Rust lang's GitHub asking, "How can I stop rustc [from] including system specific information such as absolute file paths of the source it's compiled from in the binaries it generates?"
In 2018 the
--remap-path-prefix option was introduced to address these concerns.
It kinda feels like Cargo should just be turning that on by default, though - set it to the workspace root or crate root. Release mode only if it's too much of a detriment to debugging.
Perhaps. I suspect it would be breaking change though. Elsewhere someone suggested giving Cargo a new shipping profile that could do things like this more easily.
Btw if you truly don't want to leak information then the flag alone isn't sufficient. For example, the linker can add information to a binsry. Also things such as times, dates, hashes, etc can leak through if you aren't careful.
There are similar issues with C/C++ builds. Usually you'd use a container (or VM) along with particular compiler/linker/build-system flags for shipping binaries without leaking information.
The Rust situation is still a work in progress and it'll be interesting to see how it can be improved.
This. Really, if you're using Cargo in the usual ways (automatically downloading deps and building things, etc.), do it in a restricted environment of some sort generally. Same for any analogous dependency manager.