From 8a041c63c00ab9f03cfc468dcdecf2138e31513e Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Sun, 4 Dec 2022 20:52:06 -0500
Subject: [PATCH 01/13] rustPlatform.buildRustPackage: build auditable binaries

---
 .../rust/build-rust-package/default.nix       |  6 +++
 .../rust/hooks/cargo-build-hook.sh            |  2 +-
 .../rust/hooks/cargo-check-hook.sh            |  2 +-
 .../rust/hooks/cargo-nextest-hook.sh          |  2 +-
 pkgs/development/compilers/rust/cargo.nix     |  3 ++
 .../tools/rust/cargo-auditable/default.nix    | 51 ++++++++++++-------
 6 files changed, 45 insertions(+), 21 deletions(-)

diff --git a/pkgs/build-support/rust/build-rust-package/default.nix b/pkgs/build-support/rust/build-rust-package/default.nix
index 679e10a3442..a7a9d9b52fc 100644
--- a/pkgs/build-support/rust/build-rust-package/default.nix
+++ b/pkgs/build-support/rust/build-rust-package/default.nix
@@ -11,6 +11,7 @@
 , cargoInstallHook
 , cargoNextestHook
 , cargoSetupHook
+, cargo-auditable
 , rustc
 , libiconv
 , windows
@@ -42,6 +43,7 @@
 , buildFeatures ? [ ]
 , checkFeatures ? buildFeatures
 , useNextest ? false
+, auditable ? true
 , depsExtraArgs ? {}
 
 # Toggles whether a custom sysroot is created when the target is a .json file.
@@ -113,6 +115,8 @@ stdenv.mkDerivation ((removeAttrs args [ "depsExtraArgs" "cargoUpdateHook" "carg
 
   cargoCheckFeatures = checkFeatures;
 
+  cargoCommand = if auditable then "cargo auditable" else "cargo";
+
   patchRegistryDeps = ./patch-registry-deps;
 
   nativeBuildInputs = nativeBuildInputs ++ [
@@ -123,6 +127,8 @@ stdenv.mkDerivation ((removeAttrs args [ "depsExtraArgs" "cargoUpdateHook" "carg
     cargoInstallHook
     cargoSetupHook
     rustc
+  ] ++ lib.optionals auditable [
+    cargo-auditable
   ];
 
   buildInputs = buildInputs
diff --git a/pkgs/build-support/rust/hooks/cargo-build-hook.sh b/pkgs/build-support/rust/hooks/cargo-build-hook.sh
index 7503fae4cd7..0fe07d6e856 100644
--- a/pkgs/build-support/rust/hooks/cargo-build-hook.sh
+++ b/pkgs/build-support/rust/hooks/cargo-build-hook.sh
@@ -31,7 +31,7 @@ cargoBuildHook() {
       "CXX_@rustBuildPlatform@=@cxxForBuild@" \
       "CC_@rustTargetPlatform@=@ccForHost@" \
       "CXX_@rustTargetPlatform@=@cxxForHost@" \
-      cargo build -j $NIX_BUILD_CORES \
+      ${cargoCommand-cargo} build -j $NIX_BUILD_CORES \
         --target @rustTargetPlatformSpec@ \
         --frozen \
         ${cargoBuildProfileFlag} \
diff --git a/pkgs/build-support/rust/hooks/cargo-check-hook.sh b/pkgs/build-support/rust/hooks/cargo-check-hook.sh
index 57fc2779cfe..c2a909c76f6 100644
--- a/pkgs/build-support/rust/hooks/cargo-check-hook.sh
+++ b/pkgs/build-support/rust/hooks/cargo-check-hook.sh
@@ -33,7 +33,7 @@ cargoCheckHook() {
 
     (
         set -x
-        cargo test \
+        ${cargoCommand-cargo} test \
               -j $NIX_BUILD_CORES \
               ${argstr} -- \
               --test-threads=${threads} \
diff --git a/pkgs/build-support/rust/hooks/cargo-nextest-hook.sh b/pkgs/build-support/rust/hooks/cargo-nextest-hook.sh
index de85683ead2..a4ab778c298 100644
--- a/pkgs/build-support/rust/hooks/cargo-nextest-hook.sh
+++ b/pkgs/build-support/rust/hooks/cargo-nextest-hook.sh
@@ -33,7 +33,7 @@ cargoNextestHook() {
 
     (
         set -x
-        cargo nextest run \
+        ${cargoCommand-cargo} nextest run \
               -j ${threads} \
               ${argstr} -- \
               ${checkFlags} \
diff --git a/pkgs/development/compilers/rust/cargo.nix b/pkgs/development/compilers/rust/cargo.nix
index 2c9a3b1af47..ec80533cc06 100644
--- a/pkgs/development/compilers/rust/cargo.nix
+++ b/pkgs/development/compilers/rust/cargo.nix
@@ -2,6 +2,7 @@
 , file, curl, pkg-config, python3, openssl, cmake, zlib
 , installShellFiles, makeWrapper, cacert, rustPlatform, rustc
 , libiconv, CoreFoundation, Security
+, auditable ? true
 }:
 
 rustPlatform.buildRustPackage {
@@ -12,6 +13,8 @@ rustPlatform.buildRustPackage {
   cargoVendorDir = "vendor";
   buildAndTestSubdir = "src/tools/cargo";
 
+  inherit auditable;
+
   passthru = {
     rustc = rustc;
     inherit (rustc) tests;
diff --git a/pkgs/development/tools/rust/cargo-auditable/default.nix b/pkgs/development/tools/rust/cargo-auditable/default.nix
index 64580d8ad8b..52d647b2b0a 100644
--- a/pkgs/development/tools/rust/cargo-auditable/default.nix
+++ b/pkgs/development/tools/rust/cargo-auditable/default.nix
@@ -1,23 +1,38 @@
-{ lib, rustPlatform, fetchFromGitHub }:
+{ lib, fetchFromGitHub, makeRustPlatform, rustc, cargo }:
 
-rustPlatform.buildRustPackage rec {
-  pname = "cargo-auditable";
-  version = "0.5.5";
+let
+  args = rec {
+    pname = "cargo-auditable";
+    version = "0.5.5";
 
-  src = fetchFromGitHub {
-    owner = "rust-secure-code";
-    repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-mEmTgd7sC2jmYeb5pEO985v/aWWKlq/mSQUAGi32loY=";
+    src = fetchFromGitHub {
+      owner = "rust-secure-code";
+      repo = pname;
+      rev = "v${version}";
+      sha256 = "sha256-mEmTgd7sC2jmYeb5pEO985v/aWWKlq/mSQUAGi32loY=";
+    };
+
+    cargoSha256 = "sha256-G72UUqvFaTY/GQSkpz1wIzjb7vIWuAjvKMZosUB6YsA=";
+
+    meta = with lib; {
+      description = "A tool to make production Rust binaries auditable";
+      homepage = "https://github.com/rust-secure-code/cargo-auditable";
+      changelog = "https://github.com/rust-secure-code/cargo-auditable/blob/v${version}/cargo-auditable/CHANGELOG.md";
+      license = with licenses; [ mit /* or */ asl20 ];
+      maintainers = with maintainers; [ figsoda ];
+    };
   };
 
-  cargoSha256 = "sha256-G72UUqvFaTY/GQSkpz1wIzjb7vIWuAjvKMZosUB6YsA=";
-
-  meta = with lib; {
-    description = "A tool to make production Rust binaries auditable";
-    homepage = "https://github.com/rust-secure-code/cargo-auditable";
-    changelog = "https://github.com/rust-secure-code/cargo-auditable/blob/v${version}/cargo-auditable/CHANGELOG.md";
-    license = with licenses; [ mit /* or */ asl20 ];
-    maintainers = with maintainers; [ figsoda ];
+  rustPlatform = makeRustPlatform {
+    inherit rustc;
+    cargo = cargo.override {
+      auditable = false;
+    };
   };
-}
+
+  bootstrap = rustPlatform.buildRustPackage (args // {
+    auditable = false;
+  });
+in
+
+rustPlatform.buildRustPackage.override { cargo-auditable = bootstrap; } args

From 0e5137f267ecf7dc0c9d68cc1b6fde13f5dc77ef Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Mon, 5 Dec 2022 18:43:06 -0500
Subject: [PATCH 02/13] rustPlatform.buildRustPackage: make it not auditable by
 default

---
 pkgs/build-support/rust/build-rust-package/default.nix  | 3 ++-
 pkgs/development/compilers/rust/cargo.nix               | 2 +-
 pkgs/development/tools/rust/cargo-auditable/default.nix | 4 +++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkgs/build-support/rust/build-rust-package/default.nix b/pkgs/build-support/rust/build-rust-package/default.nix
index a7a9d9b52fc..6da9566f881 100644
--- a/pkgs/build-support/rust/build-rust-package/default.nix
+++ b/pkgs/build-support/rust/build-rust-package/default.nix
@@ -43,7 +43,8 @@
 , buildFeatures ? [ ]
 , checkFeatures ? buildFeatures
 , useNextest ? false
-, auditable ? true
+, auditable ? false # TODO: change to true
+
 , depsExtraArgs ? {}
 
 # Toggles whether a custom sysroot is created when the target is a .json file.
diff --git a/pkgs/development/compilers/rust/cargo.nix b/pkgs/development/compilers/rust/cargo.nix
index ec80533cc06..5571918fdc6 100644
--- a/pkgs/development/compilers/rust/cargo.nix
+++ b/pkgs/development/compilers/rust/cargo.nix
@@ -2,7 +2,7 @@
 , file, curl, pkg-config, python3, openssl, cmake, zlib
 , installShellFiles, makeWrapper, cacert, rustPlatform, rustc
 , libiconv, CoreFoundation, Security
-, auditable ? true
+, auditable ? false # TODO: change to true when this is the default
 }:
 
 rustPlatform.buildRustPackage {
diff --git a/pkgs/development/tools/rust/cargo-auditable/default.nix b/pkgs/development/tools/rust/cargo-auditable/default.nix
index 52d647b2b0a..6d8424040d0 100644
--- a/pkgs/development/tools/rust/cargo-auditable/default.nix
+++ b/pkgs/development/tools/rust/cargo-auditable/default.nix
@@ -35,4 +35,6 @@ let
   });
 in
 
-rustPlatform.buildRustPackage.override { cargo-auditable = bootstrap; } args
+rustPlatform.buildRustPackage.override { cargo-auditable = bootstrap; } (args // {
+  auditable = true; # TODO: remove when this is the default
+})

From 0024ffa7c26ecaff146cae9f04f465dd5ee144cc Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Mon, 5 Dec 2022 18:43:34 -0500
Subject: [PATCH 03/13] alacritty: make auditable

---
 pkgs/applications/terminal-emulators/alacritty/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/terminal-emulators/alacritty/default.nix b/pkgs/applications/terminal-emulators/alacritty/default.nix
index 7c0bd8b6410..272b875cd7a 100644
--- a/pkgs/applications/terminal-emulators/alacritty/default.nix
+++ b/pkgs/applications/terminal-emulators/alacritty/default.nix
@@ -60,6 +60,8 @@ rustPlatform.buildRustPackage rec {
 
   cargoSha256 = "sha256-t6ckX0PYI8UHfXhGRpcX8ly3DzE9A6i9P6f3Ny3DBzw=";
 
+  auditable = true; # TODO: remove when this is the default
+
   nativeBuildInputs = [
     cmake
     installShellFiles

From 6f52f4b6776cb711ff2fe93128767d828bd066af Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Mon, 5 Dec 2022 18:43:48 -0500
Subject: [PATCH 04/13] rust-analyzer: make auditable

---
 pkgs/development/tools/rust/rust-analyzer/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/tools/rust/rust-analyzer/default.nix b/pkgs/development/tools/rust/rust-analyzer/default.nix
index f9ec10f3430..e70d7b955b1 100644
--- a/pkgs/development/tools/rust/rust-analyzer/default.nix
+++ b/pkgs/development/tools/rust/rust-analyzer/default.nix
@@ -22,6 +22,8 @@ rustPlatform.buildRustPackage rec {
     sha256 = "sha256-D0YwkSqwtD08twtCtN5q0a8S0Y26kgDWg1ruRNEQEOw=";
   };
 
+  auditable = true; # TODO: remove when this is the default
+
   cargoBuildFlags = [ "--bin" "rust-analyzer" "--bin" "rust-analyzer-proc-macro-srv" ];
   cargoTestFlags = [ "--package" "rust-analyzer" "--package" "proc-macro-srv-cli" ];
 

From e4186ccd21b5e7c4253ec12768648f77180fb03b Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Mon, 5 Dec 2022 18:44:07 -0500
Subject: [PATCH 05/13] jumpy: make auditable

---
 pkgs/games/jumpy/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/jumpy/default.nix b/pkgs/games/jumpy/default.nix
index 645069e4354..4fea663af53 100644
--- a/pkgs/games/jumpy/default.nix
+++ b/pkgs/games/jumpy/default.nix
@@ -24,6 +24,8 @@ rustPlatform.buildRustPackage rec {
 
   cargoSha256 = "sha256-AXaGuRqSFiq+Uiy+UaqPdPVyDhCogC64KZZ0Ah1Yo7A=";
 
+  auditable = true; # TODO: remove when this is the default
+
   nativeBuildInputs = lib.optionals stdenv.isLinux [
     pkg-config
   ];

From 506762f643c53fc3687bd72821e9f88b52243596 Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Mon, 5 Dec 2022 18:44:22 -0500
Subject: [PATCH 06/13] fd: make auditable

---
 pkgs/tools/misc/fd/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/fd/default.nix b/pkgs/tools/misc/fd/default.nix
index 6dd0e7a6e7c..dc640dc438a 100644
--- a/pkgs/tools/misc/fd/default.nix
+++ b/pkgs/tools/misc/fd/default.nix
@@ -13,6 +13,8 @@ rustPlatform.buildRustPackage rec {
 
   cargoSha256 = "sha256-QFh47Pr+7lIdT++huziKgMJxvsZElTTwu11c7/wjyHE=";
 
+  auditable = true; # TODO: remove when this is the default
+
   nativeBuildInputs = [ installShellFiles ];
 
   preFixup = ''

From f053bc8339e2fa2598eac55814ef10d4ce7cd157 Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Mon, 5 Dec 2022 18:44:30 -0500
Subject: [PATCH 07/13] ripgrep: make auditable

---
 pkgs/tools/text/ripgrep/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/text/ripgrep/default.nix b/pkgs/tools/text/ripgrep/default.nix
index 022f8bd25bb..be989994dbf 100644
--- a/pkgs/tools/text/ripgrep/default.nix
+++ b/pkgs/tools/text/ripgrep/default.nix
@@ -22,6 +22,8 @@ rustPlatform.buildRustPackage rec {
 
   cargoSha256 = "1kfdgh8dra4jxgcdb0lln5wwrimz0dpp33bq3h7jgs8ngaq2a9wp";
 
+  auditable = true; # TODO: remove when this is the default
+
   nativeBuildInputs = [ asciidoctor installShellFiles ]
     ++ lib.optional withPCRE2 pkg-config;
   buildInputs = lib.optional withPCRE2 pcre2

From b632d78aeacc6259065e4471c1817d3a99b4f305 Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Mon, 5 Dec 2022 18:57:49 -0500
Subject: [PATCH 08/13] rav1e: make auditable

---
 pkgs/tools/video/rav1e/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/video/rav1e/default.nix b/pkgs/tools/video/rav1e/default.nix
index ed6a8f54234..b664f32b4df 100644
--- a/pkgs/tools/video/rav1e/default.nix
+++ b/pkgs/tools/video/rav1e/default.nix
@@ -13,17 +13,19 @@ in rustPlatform.buildRustPackage rec {
 
   cargoSha256 = "sha256-V9QbztkFj3t5yBV+yySysDy3Q6IUY4gNzBL8h23aEg4=";
 
+  auditable = true; # TODO: remove when this is the default
+
   nativeBuildInputs = [ nasm cargo-c ];
   buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
 
   checkType = "debug";
 
   postBuild = ''
-    cargo cbuild --release --frozen --prefix=${placeholder "out"} --target ${rustTargetPlatformSpec}
+    $cargoCommand cbuild --release --frozen --prefix=${placeholder "out"} --target ${rustTargetPlatformSpec}
   '';
 
   postInstall = ''
-    cargo cinstall --release --frozen --prefix=${placeholder "out"} --target ${rustTargetPlatformSpec}
+    $cargoCommand cinstall --release --frozen --prefix=${placeholder "out"} --target ${rustTargetPlatformSpec}
   '';
 
   meta = with lib; {

From 9e3db33a6b05806ec098f54d89d2bdb74fdbbfb1 Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Mon, 5 Dec 2022 19:10:32 -0500
Subject: [PATCH 09/13] mdbook: make auditable

---
 pkgs/tools/text/mdbook/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/text/mdbook/default.nix b/pkgs/tools/text/mdbook/default.nix
index 56d60eb7fb5..3376937880c 100644
--- a/pkgs/tools/text/mdbook/default.nix
+++ b/pkgs/tools/text/mdbook/default.nix
@@ -13,6 +13,8 @@ rustPlatform.buildRustPackage rec {
 
   cargoSha256 = "sha256-KVoMC8ypikABVkIj5dCSHzYZ9CV8UMuAFxSEYLaQTSk=";
 
+  auditable = true; # TODO: remove when this is the default
+
   buildInputs = lib.optionals stdenv.isDarwin [ CoreServices ];
 
   # Tests rely on unset 'RUST_LOG' value to emit INFO messages.

From ac17e99f6c3022ce5d8fae790dc98431395a105e Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Tue, 6 Dec 2022 23:15:57 -0500
Subject: [PATCH 10/13] cargo-auditable: 0.5.5 -> unstable-2022-12-07

Diff: https://github.com/rust-secure-code/cargo-auditable/compare/v0.5.5...246468da22d619c816227797fb176c44026c7105
---
 pkgs/development/tools/rust/cargo-auditable/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/tools/rust/cargo-auditable/default.nix b/pkgs/development/tools/rust/cargo-auditable/default.nix
index 6d8424040d0..b60c0fe6205 100644
--- a/pkgs/development/tools/rust/cargo-auditable/default.nix
+++ b/pkgs/development/tools/rust/cargo-auditable/default.nix
@@ -3,16 +3,16 @@
 let
   args = rec {
     pname = "cargo-auditable";
-    version = "0.5.5";
+    version = "unstable-2022-12-07";
 
     src = fetchFromGitHub {
       owner = "rust-secure-code";
       repo = pname;
-      rev = "v${version}";
-      sha256 = "sha256-mEmTgd7sC2jmYeb5pEO985v/aWWKlq/mSQUAGi32loY=";
+      rev = "246468da22d619c816227797fb176c44026c7105";
+      sha256 = "sha256-tZ6qA20TM+mZa2bYWWdFeM+6104e+hVE9Swst2n6Mx8=";
     };
 
-    cargoSha256 = "sha256-G72UUqvFaTY/GQSkpz1wIzjb7vIWuAjvKMZosUB6YsA=";
+    cargoSha256 = "sha256-LkFP/m/pTIDnIueNDwM89lk7FNXnT4Fl8EIdXgR9oOg=";
 
     meta = with lib; {
       description = "A tool to make production Rust binaries auditable";

From a6137b73f9656c0c5d7c8422c0f7444abbdfc14b Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Wed, 7 Dec 2022 00:18:58 -0500
Subject: [PATCH 11/13] cargo-auditable-cargo-wrapper: init

---
 .../rust/build-rust-package/default.nix             | 11 ++++++-----
 pkgs/build-support/rust/hooks/cargo-build-hook.sh   |  2 +-
 pkgs/build-support/rust/hooks/cargo-check-hook.sh   |  2 +-
 pkgs/build-support/rust/hooks/cargo-nextest-hook.sh |  2 +-
 .../tools/rust/cargo-auditable/cargo-wrapper.nix    | 13 +++++++++++++
 pkgs/tools/video/rav1e/default.nix                  |  4 ++--
 pkgs/top-level/all-packages.nix                     |  1 +
 7 files changed, 25 insertions(+), 10 deletions(-)
 create mode 100644 pkgs/development/tools/rust/cargo-auditable/cargo-wrapper.nix

diff --git a/pkgs/build-support/rust/build-rust-package/default.nix b/pkgs/build-support/rust/build-rust-package/default.nix
index 6da9566f881..20fb41d0aaa 100644
--- a/pkgs/build-support/rust/build-rust-package/default.nix
+++ b/pkgs/build-support/rust/build-rust-package/default.nix
@@ -12,6 +12,7 @@
 , cargoNextestHook
 , cargoSetupHook
 , cargo-auditable
+, cargo-auditable-cargo-wrapper
 , rustc
 , libiconv
 , windows
@@ -116,11 +117,13 @@ stdenv.mkDerivation ((removeAttrs args [ "depsExtraArgs" "cargoUpdateHook" "carg
 
   cargoCheckFeatures = checkFeatures;
 
-  cargoCommand = if auditable then "cargo auditable" else "cargo";
-
   patchRegistryDeps = ./patch-registry-deps;
 
-  nativeBuildInputs = nativeBuildInputs ++ [
+  nativeBuildInputs = nativeBuildInputs ++ lib.optionals auditable [
+    (cargo-auditable-cargo-wrapper.override {
+      inherit cargo-auditable;
+    })
+  ] ++ [
     cacert
     git
     cargoBuildHook
@@ -128,8 +131,6 @@ stdenv.mkDerivation ((removeAttrs args [ "depsExtraArgs" "cargoUpdateHook" "carg
     cargoInstallHook
     cargoSetupHook
     rustc
-  ] ++ lib.optionals auditable [
-    cargo-auditable
   ];
 
   buildInputs = buildInputs
diff --git a/pkgs/build-support/rust/hooks/cargo-build-hook.sh b/pkgs/build-support/rust/hooks/cargo-build-hook.sh
index 0fe07d6e856..7503fae4cd7 100644
--- a/pkgs/build-support/rust/hooks/cargo-build-hook.sh
+++ b/pkgs/build-support/rust/hooks/cargo-build-hook.sh
@@ -31,7 +31,7 @@ cargoBuildHook() {
       "CXX_@rustBuildPlatform@=@cxxForBuild@" \
       "CC_@rustTargetPlatform@=@ccForHost@" \
       "CXX_@rustTargetPlatform@=@cxxForHost@" \
-      ${cargoCommand-cargo} build -j $NIX_BUILD_CORES \
+      cargo build -j $NIX_BUILD_CORES \
         --target @rustTargetPlatformSpec@ \
         --frozen \
         ${cargoBuildProfileFlag} \
diff --git a/pkgs/build-support/rust/hooks/cargo-check-hook.sh b/pkgs/build-support/rust/hooks/cargo-check-hook.sh
index c2a909c76f6..57fc2779cfe 100644
--- a/pkgs/build-support/rust/hooks/cargo-check-hook.sh
+++ b/pkgs/build-support/rust/hooks/cargo-check-hook.sh
@@ -33,7 +33,7 @@ cargoCheckHook() {
 
     (
         set -x
-        ${cargoCommand-cargo} test \
+        cargo test \
               -j $NIX_BUILD_CORES \
               ${argstr} -- \
               --test-threads=${threads} \
diff --git a/pkgs/build-support/rust/hooks/cargo-nextest-hook.sh b/pkgs/build-support/rust/hooks/cargo-nextest-hook.sh
index a4ab778c298..de85683ead2 100644
--- a/pkgs/build-support/rust/hooks/cargo-nextest-hook.sh
+++ b/pkgs/build-support/rust/hooks/cargo-nextest-hook.sh
@@ -33,7 +33,7 @@ cargoNextestHook() {
 
     (
         set -x
-        ${cargoCommand-cargo} nextest run \
+        cargo nextest run \
               -j ${threads} \
               ${argstr} -- \
               ${checkFlags} \
diff --git a/pkgs/development/tools/rust/cargo-auditable/cargo-wrapper.nix b/pkgs/development/tools/rust/cargo-auditable/cargo-wrapper.nix
new file mode 100644
index 00000000000..3afa59739a3
--- /dev/null
+++ b/pkgs/development/tools/rust/cargo-auditable/cargo-wrapper.nix
@@ -0,0 +1,13 @@
+{ lib, writeShellApplication, cargo, cargo-auditable }:
+
+(writeShellApplication {
+  name = "cargo";
+  runtimeInputs = [ cargo cargo-auditable ];
+  text = ''
+    CARGO_AUDITABLE_IGNORE_UNSUPPORTED=1 cargo auditable "$@"
+  '';
+}) // {
+  meta = cargo-auditable.meta // {
+    mainProgram = "cargo";
+  };
+}
diff --git a/pkgs/tools/video/rav1e/default.nix b/pkgs/tools/video/rav1e/default.nix
index b664f32b4df..c1b5643f673 100644
--- a/pkgs/tools/video/rav1e/default.nix
+++ b/pkgs/tools/video/rav1e/default.nix
@@ -21,11 +21,11 @@ in rustPlatform.buildRustPackage rec {
   checkType = "debug";
 
   postBuild = ''
-    $cargoCommand cbuild --release --frozen --prefix=${placeholder "out"} --target ${rustTargetPlatformSpec}
+    cargo cbuild --release --frozen --prefix=${placeholder "out"} --target ${rustTargetPlatformSpec}
   '';
 
   postInstall = ''
-    $cargoCommand cinstall --release --frozen --prefix=${placeholder "out"} --target ${rustTargetPlatformSpec}
+    cargo cinstall --release --frozen --prefix=${placeholder "out"} --target ${rustTargetPlatformSpec}
   '';
 
   meta = with lib; {
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 141d3bb52ac..b63e54d0412 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -15206,6 +15206,7 @@ with pkgs;
     inherit (darwin.apple_sdk.frameworks) Security;
   };
   cargo-auditable = callPackage ../development/tools/rust/cargo-auditable { };
+  cargo-auditable-cargo-wrapper = callPackage ../development/tools/rust/cargo-auditable/cargo-wrapper.nix { };
   cargo-bisect-rustc = callPackage ../development/tools/rust/cargo-bisect-rustc {
     inherit (darwin.apple_sdk.frameworks) Security;
     openssl = openssl_1_1;

From 4ab0618bc585ce69c2f34c0e1f12c7d86522f114 Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Wed, 7 Dec 2022 00:21:46 -0500
Subject: [PATCH 12/13] librsvg: make auditable

---
 pkgs/development/libraries/librsvg/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/librsvg/default.nix b/pkgs/development/libraries/librsvg/default.nix
index 6b174a7dfa4..a60da602e07 100644
--- a/pkgs/development/libraries/librsvg/default.nix
+++ b/pkgs/development/libraries/librsvg/default.nix
@@ -15,7 +15,7 @@
 , rustPlatform
 , rustc
 , rust
-, cargo
+, cargo-auditable-cargo-wrapper
 , gi-docgen
 , python3Packages
 , gnome
@@ -57,7 +57,7 @@ stdenv.mkDerivation rec {
     gdk-pixbuf
     pkg-config
     rustc
-    cargo
+    cargo-auditable-cargo-wrapper
     python3Packages.docutils
     vala
     rustPlatform.cargoSetupHook

From 0f4a7276c4840bfe1db3dd4467eece3e76d4ee43 Mon Sep 17 00:00:00 2001
From: figsoda <figsoda@pm.me>
Date: Wed, 7 Dec 2022 18:01:08 -0500
Subject: [PATCH 13/13] cargo-auditable: unstable-2022-12-07 -> 0.6.0

---
 pkgs/development/tools/rust/cargo-auditable/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/tools/rust/cargo-auditable/default.nix b/pkgs/development/tools/rust/cargo-auditable/default.nix
index b60c0fe6205..1c621276021 100644
--- a/pkgs/development/tools/rust/cargo-auditable/default.nix
+++ b/pkgs/development/tools/rust/cargo-auditable/default.nix
@@ -3,16 +3,16 @@
 let
   args = rec {
     pname = "cargo-auditable";
-    version = "unstable-2022-12-07";
+    version = "0.6.0";
 
     src = fetchFromGitHub {
       owner = "rust-secure-code";
       repo = pname;
-      rev = "246468da22d619c816227797fb176c44026c7105";
-      sha256 = "sha256-tZ6qA20TM+mZa2bYWWdFeM+6104e+hVE9Swst2n6Mx8=";
+      rev = "v${version}";
+      sha256 = "sha256-mSiEC+9QtRjWmywJnGgUqp+q8fhY0qUYrgjrAVaY114=";
     };
 
-    cargoSha256 = "sha256-LkFP/m/pTIDnIueNDwM89lk7FNXnT4Fl8EIdXgR9oOg=";
+    cargoSha256 = "sha256-Wz5My/QxPpZVsPBUe3KHT3ttD6CTU8NCY8rhFEC+UlA=";
 
     meta = with lib; {
       description = "A tool to make production Rust binaries auditable";