You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Maybe this is just a paranoia on my side. However, currently if I want to do an audit of my dependencies, I can download and extract the crate source downloaded from crates.io and read it. There are even tools promoting such approach, like cargo-crev.
But if the crate contains the binary wasm code, reading it and understanding what it does gets much harder. I understand that the compiled code can't do arbitrary stuff to the system itself, but it could still produce malicious code into its output, or simply be buggy and produce wrong code.
So I wonder, would it be possible to somehow make it possible (by some tooling) to automatically bundle both the original source code and the wasm and have a way to opt into the longer compile time, but making sure it is indeed from the given sources?
The text was updated successfully, but these errors were encountered:
dtolnay
changed the title
Binary artefacts on crates.io hinder auditing
Tooling for verifying wasm was compiled from the public source
Oct 15, 2019
Absolutely -- this is along the lines of what I called out in the readme:
including easy tooling for doing reproducible builds of the Wasm artifact for confirming that it was indeed compiled from the publicly available sources.
Currently it can verify that a given .wasm file was compiled from a specified source, but it only works if both the compilation and verification are done on the same OS.
Hello
Maybe this is just a paranoia on my side. However, currently if I want to do an audit of my dependencies, I can download and extract the crate source downloaded from crates.io and read it. There are even tools promoting such approach, like cargo-crev.
But if the crate contains the binary wasm code, reading it and understanding what it does gets much harder. I understand that the compiled code can't do arbitrary stuff to the system itself, but it could still produce malicious code into its output, or simply be buggy and produce wrong code.
So I wonder, would it be possible to somehow make it possible (by some tooling) to automatically bundle both the original source code and the wasm and have a way to opt into the longer compile time, but making sure it is indeed from the given sources?
The text was updated successfully, but these errors were encountered: