Plans for supporting reading and verification

[8W9aG]

Is there any work being planned to support reading and verification of the SXG format using libsxg?

[twifkak]

Google has no short term plans, but it's definitely of interest for the long term.

• Our implementation is in C++ and uses several internal libs in our monorepo, so it's hard to extract.
• I'd like to release a reference implementation for an SXG cache (including verification), but am leaning towards Rust for memory safety. Let me know if you have compelling reasons for a C implementation first.
• In the meantime, I'd welcome external contributions. (With a "things may break" disclaimer until the design is stabilized and behavior well-tested.)
• Alternatively, it may be possible to libify chromium's parser, though I don't know how easy. It has a lot of deps on other parts of chromium.

[8W9aG]

I don't really have a compelling reason for a C implementation first, my project uses C++ so I guess it would suit me to have it that way but that sounds more like a me problem. Would you welcome contributions made to this repo, first by adding a parser for the format, and after that adding verification methods?

Thanks for the links to chromiums parser, its a great reference.

[twifkak]

Yeah, that plan sounds great. Some recommendations (but I'm flexible):

• If the new feature dramatically increases the binary size or adds new dependencies, put it behind a cmake option.
• If possible, avoid OpenSSL functions that aren't also available in BoringSSL. (We made that mistake, and had to add some ifdefs and cmake options to address that retroactively.)

As an aside, it seems like you can embed Rust in C. AFAIK it has a minimal runtime but I'm not an expert.