feat: Add unstable -Zdetect-antivirus option

With a build.detect-antivirus config option to disable the warning.

Author: madsmtm

src/cargo/core/compiler/build_config.rs

@@ -52,6 +52,9 @@ pub struct BuildConfig {
     pub sbom: bool,
     /// Build compile time dependencies only, e.g., build scripts and proc macros
     pub compile_time_deps_only: bool,
+    /// Whether we should try to detect and warn when antivirus software might
+    /// make newly created binaries slow to launch.
+    pub detect_antivirus: bool,
 }
 
 fn default_parallelism() -> CargoResult<u32> {
@@ -127,6 +130,19 @@ impl BuildConfig {
             _ => Vec::new(),
         };
 
+        let detect_antivirus = match (cfg.detect_antivirus, gctx.cli_unstable().detect_antivirus) {
+            // Enabled by default (for now only when the flag is set).
+            (None, unstable_flag) => unstable_flag,
+            // But allow overriding with configuration option.
+            (Some(cfg_option), true) => cfg_option,
+            (Some(_), false) => {
+                gctx.shell().warn(
+                    "ignoring 'build.detect-antivirus' config, pass `-Zdetect-antivirus` to enable it",
+                )?;
+                false
+            }
+        };
+
         Ok(BuildConfig {
             requested_kinds,
             jobs,
@@ -145,6 +161,7 @@ impl BuildConfig {
             timing_outputs,
             sbom,
             compile_time_deps_only: false,
+            detect_antivirus,
         })
     }
 

src/cargo/core/features.rs

@@ -854,6 +854,7 @@ unstable_cli_options!(
     checksum_freshness: bool = ("Use a checksum to determine if output is fresh rather than filesystem mtime"),
     codegen_backend: bool = ("Enable the `codegen-backend` option in profiles in .cargo/config.toml file"),
     config_include: bool = ("Enable the `include` key in config files"),
+    detect_antivirus: bool = ("Enable the experimental antivirus detection and the config option to disable it"),
     direct_minimal_versions: bool = ("Resolve minimal dependency versions instead of maximum (direct dependencies only)"),
     dual_proc_macros: bool = ("Build proc-macros for both the host and the target"),
     feature_unification: bool = ("Enable new feature unification modes in workspaces"),
@@ -1373,6 +1374,7 @@ impl CliUnstable {
             "codegen-backend" => self.codegen_backend = parse_empty(k, v)?,
             "config-include" => self.config_include = parse_empty(k, v)?,
             "direct-minimal-versions" => self.direct_minimal_versions = parse_empty(k, v)?,
+            "detect-antivirus" => self.detect_antivirus = parse_empty(k, v)?,
             "dual-proc-macros" => self.dual_proc_macros = parse_empty(k, v)?,
             "feature-unification" => self.feature_unification = parse_empty(k, v)?,
             "fix-edition" => {

src/cargo/ops/cargo_compile/mod.rs

@@ -556,8 +556,7 @@ where `<compatible-ver>` is the latest version supporting rustc {rustc_version}"
         }
     }
 
-    // TODO(madsmtm): Add some sort of option for this.
-    if false {
+    if build_config.detect_antivirus {
         // TODO(madsmtm): Maybe only do this when we have above a certain
         // number of build scripts or test binaries to run?
 

src/cargo/util/context/mod.rs

@@ -2770,6 +2770,8 @@ pub struct CargoBuildConfig {
     pub sbom: Option<bool>,
     /// Unstable feature `-Zbuild-analysis`.
     pub analysis: Option<CargoBuildAnalysis>,
+    /// Unstable feature `-Zdetect-antivirus`.
+    pub detect_antivirus: Option<bool>,
 }
 
 /// Metrics collection for build analysis.

src/cargo/util/detect_antivirus/mod.rs

@@ -117,7 +117,8 @@ pub fn detect_and_report(gtcx: &GlobalContext) -> CargoResult<()> {
             We recommend this option by default, since it will make your \
             iteration time lower, though please be aware of the security \
             implications in doing this. Another option is to disable this \
-            warning with TODO config.toml option.\n\
+            warning by add `build.detect-antivirus = false` to your \
+            ~/.cargo/config.toml.\n\
             \
             See <https://support.apple.com/en-gb/guide/security/sec469d47bd8/web> \
             for more information.",

src/doc/src/reference/unstable.md

@@ -131,6 +131,7 @@ Each new feature described below should explain how to use it.
     * [Package message format](#package-message-format) --- Message format for `cargo package`.
     * [`fix-edition`](#fix-edition) --- A permanently unstable edition migration helper.
     * [Plumbing subcommands](https://github.com/crate-ci/cargo-plumbing) --- Low, level commands that act as APIs for Cargo, like `cargo metadata`
+    * [Detect antivirus](#detect-antivirus) --- Detect whether newly created binaries may be slow to launch due to antivirus.
 
 ## allow-features
 
@@ -1947,6 +1948,25 @@ enabled = true
 Enables the new build-dir filesystem layout.
 This layout change unblocks work towards caching and locking improvements.
 
+## Detect Antivirus
+
+* Tracking Issue: [#0](https://github.com/rust-lang/cargo/issues/0)
+
+The `-Zdetect-antivirus` flag enables detection of antivirus software that might make launching a binary for the first time slower (which in turn makes Cargo's build scripts and tests slower), and outputs a descriptive warning to the user if this is the case.
+
+This feature will be enabled by default in the future, with the `build.detect-antivirus` option to opt-out.
+
+Currently only implemented for macOS' XProtect/Gatekeeper, but could be expanded to Windows Defender in the future.
+
+```toml
+# Example ~/.cargo/config.toml
+
+# Disable warning, e.g. if using a workplace-issued Mac that
+# doesn't allow granting Developer Tool permissions.
+[build]
+detect-antivirus = false
+```
+
 
 # Stabilized and removed features