Request: Remove/abstract all compiled/obfuscated JS or binaries

[jamesdwilson]

In the case of scrypt-JS, which is compiled, as well as any other obfuscated JS or binaries, it would be preferable for security if these could be acquired by a git submodule or scripted on build to show chain of custody.

Reason being, if I was malicious, the first place I would try to hide something would be in one of those opaque files.

Open to your thoughts on this.

[ttyridal]

Being able to reproduce/verify the scrypt-asm.js is definitively a key part of the trust in MasterPassword for Firefox.

While not fully automated (like you suggest?), the makefile in /libscrypt should contain enough information (version and source of scrypt files, compiler versions) to repeat the build.

And in fact, it has been done as part of the review process at Mozilla-AMO. - It was actually a bit of a hurdle because the reviewer got a different binary. Turned out emscripten produces slightly different result on osx and linux/ubuntu.

[ttyridal]

@jamesdwilson, could you specify a bit more where you think transparency is lacking? Was the info in /libscrypt/Makefile satisfying, or was it the build-everything-in-one-shot you were missing?

(please reopen if you still think this needs improvement)