tamer: cargo --frozen --offline

Cargo's default behavior is unfortunately to issue network calls each time
it is invoke in order to check for dependencies updates.  This is not only
bad for reproducibility and privacy, but it's also a concern for supply
chain attacks, since most developers are unaware that this is occurring.

Instead, we pin to the lockfile.  Installing dependencies can be done with
`cargo fetch` and updating dependencies must be explicitly done by the
developer, with the lockfile updated.

bootstrap

@@ -30,7 +30,7 @@ test "${1:-}" = -n || git submodule update --init --recursive
     && { which npm && npm install || true; } \
     && ./autogen.sh && ./configure
 ) \
-  && ( cd tamer && ./bootstrap && ./configure ) \
+  && ( cd tamer && ./bootstrap ) \
   && { test -e hoxsl || test -L hoxsl || ln -s ../hoxsl; } \
   && autoreconf -fvi \
   && ./configure \

tamer/Makefile.am

@@ -37,31 +37,36 @@ all: bin doc bench-build
 
 .PHONY: bin
 bin:
-	@CARGO@ +@RUST_TC@ build $(CARGO_BUILD_FLAGS) @FEATURES@
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ build $(CARGO_BUILD_FLAGS) @FEATURES@
 
 doc: html
 html-am:
-	@CARGO@ +@RUST_TC@ test --doc @FEATURES@
-	@CARGO@ +@RUST_TC@ @CARGO_DOC_FLAGS@ doc --document-private-items @FEATURES@
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ test --doc @FEATURES@
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ @CARGO_DOC_FLAGS@ doc --document-private-items @FEATURES@
 
 # note that 'cargo check' is something else; see 'cargo --help'
 test: check
 check-am: check-fmt
-	@CARGO@ +@RUST_TC@ test @FEATURES@
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ test @FEATURES@
 
 check-fmt:
-	@CARGO@ +@RUST_TC@ fmt -- --check
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ fmt -- --check
 
 bench:
-	@CARGO@ +@RUST_TC@ @CARGO_BENCH_PRE_FLAGS@ bench $(CARGO_BENCH_FLAGS) @FEATURES@
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ @CARGO_BENCH_PRE_FLAGS@ bench $(CARGO_BENCH_FLAGS) @FEATURES@
 
 # Build but do not run benches (to ensures we didn't break them)
 bench-build:
-	@CARGO@ +@RUST_TC@ @CARGO_BENCH_PRE_FLAGS@ build --benches @FEATURES@
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ @CARGO_BENCH_PRE_FLAGS@ build --benches @FEATURES@
 
 fix: fmt
 fmt:
-	@CARGO@ +@RUST_TC@ fmt
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ fmt
 
 clean-am:
-	@CARGO@ +@RUST_TC@ clean
+	@CARGO@ +@RUST_TC@ @CARGO_FLAGS@ clean
+
+.PHONY: fetch
+fetch:
+	@CARGO@ +@RUST_TC@ --locked fetch
+

tamer/bootstrap

@@ -17,9 +17,14 @@
 #
 #   You should have received a copy of the GNU General Public License
 #   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# This script should be run _once_ after an initial checkout, otherwise it
+# may overwrite any subsequent configuration you may have done.
 ##
 
 set -euo pipefail
 
-./autogen.sh
+# This will apply a default configuration, which will be used to perform a
+# fetch of the dependencies.  You are of course free to reconfigure after.
+./autogen.sh && ./configure && make fetch
 

tamer/configure.ac

@@ -49,6 +49,12 @@ AC_SUBST([RUST_TC], nightly)
 
 test -n "$CARGO" || AC_MSG_ERROR([cargo not found])
 
+# There is no reason the build should _ever_ access the network.
+# This both helps with reproducibility and helps to mitigate supply chain
+# attacks by requiring developers to explicitly indicate their intent to
+# fetch a network resource (by invoking cargo manually).
+AC_SUBST([CARGO_FLAGS], "--frozen --offline")
+
 # This is a nightly version at the time of writing
 rustc_ver_req=1.57.0