Closed pinkforest closed 2 years ago
I don't see the point of embedding it into the binary, then. You need to read it and extract the data, might as well just read it and hash it and cross-reference it with the database of hashes that you have. That's how I envision it working for embedded device firmware, for example.
Not to mention that you cannot embed the hash of a binary into the binary itself, unless it's MD5 and you're appending to the end. That's how GIFs that print their own MD5 are made.
Not to mention that you cannot embed the hash of a binary into the binary itself
The hash is just the auditable data ?
I think a hash of the binary makes more sense. It's zero overhead and much easier to compute in a platform-agnostic way.
If I understand it correctly, the idea would be the option to only add the hash of the dependency list to the binary? Then you can distribute the binary but keep the dependency list secret, but if you decide to give the list to someone they can verify that you're not lying and that the list is genuine (because the hash matches).
Or I guess if it's only about binary size you can add a link to the location of the list, and everyone can verify with the hash that the link wasn't modified.
but if you decide to give the list to someone they can verify that you're not lying and that the list is genuine (because the hash matches).
No, you can't, because they could have embedded a bogus hash into the binary to begin with.
That sounds like it would be solved with reproducible builds and binary signing, or at least hashing the entire binary. Not embedding additional data into the binary.
The idea of hashing a binary and cross-referencing the hash with a database is a good one, and could be valuable for WASM, embedded devices, and other use cases where ~2Kb overhead is too costly. But the technical implementation of it is so different from cargo auditable
that I don't think it makes sense for it to be in the same project, and I have no plans to work on it myself. If someone wants to work on it, I would encourage them to start a new repo. I'll be open to code sharing where it makes sense, but I don't expect much code to be shared.
Would it be feasible to support attestation instead of embedding all auditable data ?
So instead of embedding the whole thing into the binary it could simply include URL and / or a hash of some sort
Then that URL / hash can be checked via attestation optionally.
Not sure if worthwhile but it might be good for wasm binaries at least ?