defguard icon indicating copy to clipboard operation
defguard copied to clipboard
verified publisher icon DefGuard

Air-gapped builds using Cargo

Open kchudy opened this issue 5 months ago • 1 comments

  1. Modify the cargo build process to only use a local mirror.
  2. Cargo never reaches the internet for packages.
  3. Use https://kellnr.io for the mirror.

Possible development workflow:

  1. Developer uploads the dependencies to Kellnr. The developer checks the dependencies manually, or there's an automatic check before the upload.
  2. Developer creates a PR with a modified Cargo.lock.
  3. An automatic job checks all dependencies from Cargo.lock for security issues.
  4. If passed, an automatic job updates Kellnr with new dependencies.
  5. The solution gets built using Kellnr as crates mirror. Cargo can be configured to operate on a replaced creates https://doc.rust-lang.org/cargo/reference/source-replacement.html#configuration

kchudy avatar Aug 29 '25 11:08 kchudy

Kellnr can put in proxy mode, but that doesn't work as an air-gapped environment, but a proxy. It's better to use https://github.com/dhovart/cargo-local-registry to sync to a private storage, then serve the storage using a HTTP server.

moubctez avatar Oct 01 '25 07:10 moubctez