@sbeattie there's some context on those various fields in https://github.com/cpaelzer/ubuntu-mir/pull/3

Basically X-Cargo-Built-Using should be folded into Built-Using. There has been no talk of automating detection of packages that ought to have those fields, but that does sound like a good idea.

However, in the case of rustc and any future main package built using Rust, there are going to be vendored dependencies that are not packaged at all. It doesn't seem like a good idea to me to document those in the same fields as the dependencies that are separately packaged but statically linked, which is why I proposed shipping the Cargo.lock file.

If you'd prefer, we could instead ship it in another field, maybe X-Vendored-Sources (as mentioned before, Built-Using seems out of scope for that). For instance, using this small Python snippet, I get this for the Cargo.lock file shipped in rustc (Jammy):

$ zcat Cargo.lock.gz | python3 -c "import toml; import sys; print(', '.join(f\"{p['name']}/{p['version']}\" for p in toml.load(sys.stdin)['package'] if 'source' in p))"

addr2line/0.16.0, adler/1.0.2, aho-corasick/0.7.18, ammonia/3.1.0, annotate-snippets/0.8.0, ansi_term/0.11.0, ansi_term/0.12.1, anyhow/1.0.45, array_tool/1.0.3, arrayvec/0.7.2, atty/0.2.14, autocfg/1.0.1, bitflags/1.3.2, block-buffer/0.7.3, block-buffer/0.9.0, block-padding/0.1.5, bstr/0.2.13, byte-tools/0.3.1, bytecount/0.6.2, byteorder/1.3.4, camino/1.0.5, cargo-platform/0.1.2, cargo_metadata/0.12.0, cargo_metadata/0.14.1, cc/1.0.71, cfg-if/0.1.10, cfg-if/1.0.0, chalk-derive/0.55.0, chalk-engine/0.55.0, chalk-ir/0.55.0, chalk-solve/0.55.0, chrono/0.4.19, clap/2.33.3, cmake/0.1.44, colored/2.0.0, compiler_builtins/0.1.53, compiletest_rs/0.7.1, cpuid-bool/0.1.2, crc32fast/1.2.1, crossbeam-channel/0.5.1, crossbeam-deque/0.7.4, crossbeam-deque/0.8.1, crossbeam-epoch/0.8.2, crossbeam-epoch/0.9.5, crossbeam-queue/0.2.3, crossbeam-utils/0.7.2, crossbeam-utils/0.8.5, cstr/0.2.8, ctor/0.1.15, datafrog/2.0.1, derive-new/0.5.8, diff/0.1.12, difference/2.0.0, digest/0.8.1, digest/0.9.0, dirs/2.0.2, dirs-next/2.0.0, dirs-sys/0.3.6, dirs-sys-next/0.1.2, dlmalloc/0.2.3, either/1.6.1, elasticlunr-rs/2.3.9, ena/0.14.0, env_logger/0.7.1, env_logger/0.8.4, expect-test/1.0.1, fake-simd/0.1.2, filetime/0.2.15, fixedbitset/0.2.0, flate2/1.0.22, fnv/1.0.7, form_urlencoded/1.0.1, fortanix-sgx-abi/0.3.3, fs-err/2.5.0, futf/0.1.4, generic-array/0.12.4, generic-array/0.14.4, getopts/0.2.21, getrandom/0.1.14, getrandom/0.2.0, gimli/0.25.0, glob/0.3.0, globset/0.4.5, globwalk/0.8.1, gsgdt/0.1.2, handlebars/4.1.0, hashbrown/0.11.2, heck/0.3.3, hermit-abi/0.1.19, hex/0.4.2, html5ever/0.25.1, humantime/1.3.0, humantime/2.0.1, idna/0.2.3, if_chain/1.0.0, ignore/0.4.17, indexmap/1.7.0, indoc/1.0.3, instant/0.1.12, itertools/0.9.0, itertools/0.10.1, itoa/0.4.8, jobserver/0.1.24, jsonpath_lib/0.2.6, lazy_static/1.4.0, libc/0.2.107, libm/0.1.4, lock_api/0.4.5, log/0.4.14, lzma-sys/0.1.16, mac/0.1.1, macro-utils/0.1.3, maplit/1.0.2, markup5ever/0.10.0, markup5ever_rcdom/0.1.0, matchers/0.0.1, matches/0.1.9, maybe-uninit/2.0.0, md-5/0.9.1, mdbook/0.4.12, measureme/10.0.0, memchr/2.4.1, memmap2/0.2.1, memoffset/0.5.5, memoffset/0.6.4, merge/0.1.0, merge_derive/0.1.0, minifier/0.0.41, miniz_oxide/0.4.4, miow/0.3.7, new_debug_unreachable/1.0.4, num-integer/0.1.43, num-traits/0.2.12, num_cpus/1.13.0, object/0.26.2, odht/0.3.1, once_cell/1.8.0, opaque-debug/0.2.3, opaque-debug/0.3.0, open/1.4.0, opener/0.5.0, output_vt100/0.1.2, packed_simd_2/0.3.4, parking_lot/0.11.2, parking_lot_core/0.8.5, pathdiff/0.2.0, percent-encoding/2.1.0, perf-event-open-sys/1.0.1, pest/2.1.3, pest_derive/2.1.0, pest_generator/2.1.3, pest_meta/2.1.3, petgraph/0.5.1, phf/0.8.0, phf_codegen/0.8.0, phf_generator/0.8.0, phf_shared/0.8.0, pin-project-lite/0.2.7, pkg-config/0.3.18, polonius-engine/0.13.0, ppv-lite86/0.2.8, precomputed-hash/0.1.1, pretty_assertions/0.6.1, proc-macro-error/1.0.4, proc-macro-error-attr/1.0.4, proc-macro2/1.0.32, psm/0.1.16, pulldown-cmark/0.7.2, pulldown-cmark/0.8.0, punycode/0.4.1, quick-error/1.2.3, quick-error/2.0.0, quine-mc_cluskey/0.2.4, quote/1.0.10, rand/0.7.3, rand/0.8.4, rand_chacha/0.2.2, rand_chacha/0.3.0, rand_core/0.5.1, rand_core/0.6.2, rand_hc/0.2.0, rand_hc/0.3.0, rand_pcg/0.2.1, rand_xorshift/0.2.0, rand_xoshiro/0.6.0, rayon/1.5.1, rayon-core/1.9.1, redox_syscall/0.2.10, redox_users/0.4.0, regex/1.5.4, regex-automata/0.1.10, regex-syntax/0.6.25, remove_dir_all/0.5.3, rls-data/0.19.1, rls-span/0.5.3, rustc-demangle/0.1.21, rustc-hash/1.1.0, rustc-rayon/0.3.1, rustc-rayon-core/0.3.1, rustc-semver/1.1.0, rustfix/0.5.1, rustfix/0.6.0, rustversion/1.0.5, ryu/1.0.5, same-file/1.0.6, scoped-tls/1.0.0, scopeguard/1.1.0, semver/0.11.0, semver/1.0.4, semver-parser/0.10.2, serde/1.0.130, serde_derive/1.0.130, serde_json/1.0.69, sha-1/0.8.2, sha-1/0.9.1, sha2/0.9.1, sharded-slab/0.1.4, shell-escape/0.1.5, shlex/1.0.0, siphasher/0.3.3, smallvec/1.7.0, snap/1.0.5, stable_deref_trait/1.2.0, stacker/0.1.14, string_cache/0.8.0, string_cache_codegen/0.5.1, strsim/0.8.0, structopt/0.3.16, structopt-derive/0.4.9, strum/0.18.0, strum_macros/0.18.0, syn/1.0.81, synstructure/0.12.6, tar/0.4.37, tempfile/3.2.0, tendril/0.4.1, tera/1.10.0, term/0.6.1, term/0.7.0, termcolor/1.1.2, termize/0.1.1, tester/0.9.0, textwrap/0.11.0, thiserror/1.0.20, thiserror-impl/1.0.20, thread_local/1.1.3, time/0.1.43, tinyvec/1.5.0, tinyvec_macros/0.1.0, toml/0.5.7, tracing/0.1.29, tracing-attributes/0.1.18, tracing-core/0.1.21, tracing-log/0.1.2, tracing-serde/0.1.2, tracing-subscriber/0.2.25, tracing-tree/0.1.10, typenum/1.12.0, ucd-parse/0.1.8, ucd-trie/0.1.3, unic-char-property/0.9.0, unic-char-range/0.9.0, unic-common/0.9.0, unic-emoji-char/0.9.0, unic-ucd-version/0.9.0, unicase/2.6.0, unicode-bidi/0.3.7, unicode-normalization/0.1.19, unicode-script/0.5.3, unicode-security/0.0.5, unicode-segmentation/1.8.0, unicode-width/0.1.8, unicode-xid/0.2.2, unicode_categories/0.1.1, unified-diff/0.2.1, unindent/0.1.7, url/2.2.2, utf-8/0.7.5, vec_map/0.8.2, version_check/0.9.3, walkdir/2.3.2, wasi/0.9.0+wasi-snapshot-preview1, winapi/0.3.9, winapi-i686-pc-windows-gnu/0.4.0, winapi-util/0.1.5, winapi-x86_64-pc-windows-gnu/0.4.0, xattr/0.2.2, xml5ever/0.16.1, xz2/0.1.6, yaml-rust/0.3.5, yansi-term/0.1.2

The 'if source in p' statement filters out crates that are internal to rustc. Surprinsingly, the remaining rustc-* crates are separately packaged forks of existing crates.

Would the security team feel more comfortable with this?