{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreib7swfck6tvpwucmv2u42ro5tmrmspjrzijg766cccpxtqy2bjnvq",
    "uri": "at://did:plc:ivbknywyskln22er3nkssdhl/app.bsky.feed.post/3mjaweigwgak2"
  },
  "path": "/t/build-security/24166#post_10",
  "publishedAt": "2026-04-11T13:13:54.000Z",
  "site": "https://internals.rust-lang.org",
  "tags": [
    "Reduce the need for users to write build scripts · Issue #14948 · rust-lang/cargo · GitHub",
    "Tracking issue for RFC 2196, \"metabuild: semantic build scripts for Cargo\" · Issue #14903 · rust-lang/cargo · GitHub"
  ],
  "textContent": "kpreid:\n\n> The primary obstacle to getting sandboxing into Cargo (for build scripts) and rustc (for proc-macros) is **implementing it** (or at least prototyping it), not convincing people that it should be done.\n\nActually, I need convincing.\n\nIt is a huge effort with a lot of design work and _it is incomplete_. It only covers build time behavior and not runtime behavior. There are ways (e.g. `cackle`) where we can get the benefit for both build time and runtime. That seems like a much higher pay off direction to go.\n\nEDIT: I also very much want us to explore\n\n  * reducing the need for build-rs (Reduce the need for users to write build scripts · Issue #14948 · rust-lang/cargo · GitHub)\n  * consolidate build scripts via build script delegation, reducing the audit surface (Tracking issue for RFC 2196, \"metabuild: semantic build scripts for Cargo\" · Issue #14903 · rust-lang/cargo · GitHub)\n  * explore how far we can go with declarative macros to replace proc-macros\n\n",
  "title": "Build Security"
}